Data Leak via CORS Misconfiguration
A CORS misconfiguration in parisneo/lollms-webui allows attackers to steal sensitive information such as logs, browser sessions, and private API keys. This issue affects all versions prior to version 10, which includes the fix.
Available publicly on Oct 15 2024 | Available with Premium on Jul 10 2024
Threat Overview
The vulnerability arises from improper handling of Cross-Origin Resource Sharing (CORS) requests, allowing an attacker to bypass the same-origin policy. This misconfiguration enables an attacker to craft a malicious webpage that, when visited by a user, can make unauthorized requests to the vulnerable application and exfiltrate sensitive data. The attacker can access logs, browser sessions, and private API keys, and can also perform actions on behalf of the user, such as deleting projects or sending messages.
Attack Scenario
An attacker hosts a malicious webpage containing JavaScript code designed to exploit the CORS misconfiguration. The attacker then tricks a user into visiting this webpage. Once the user visits the page, the JavaScript code makes an unauthorized request to the vulnerable application running on the user's machine, retrieves sensitive information, and sends it back to the attacker's server.
Who is affected
Users running any version of parisneo/lollms-webui prior to version 10 are affected. This includes individuals and organizations using the platform who may have sensitive information such as API keys and logs stored within the application.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.