The vulnerability arises from improper handling of Cross-Origin Resource Sharing (CORS) requests, allowing an attacker to bypass the same-origin policy. This misconfiguration enables an attacker to craft a malicious webpage that, when visited by a user, can make unauthorized requests to the vulnerable application and exfiltrate sensitive data. The attacker can access logs, browser sessions, and private API keys, and can also perform actions on behalf of the user, such as deleting projects or sending messages.

An attacker hosts a malicious webpage containing JavaScript code designed to exploit the CORS misconfiguration. The attacker then tricks a user into visiting this webpage. Once the user visits the page, the JavaScript code makes an unauthorized request to the vulnerable application running on the user's machine, retrieves sensitive information, and sends it back to the attacker's server.

Users running any version of parisneo/lollms-webui prior to version 10 are affected. This includes individuals and organizations using the platform who may have sensitive information such as API keys and logs stored within the application.