Sightline

High

lollms-webui

Data Leak via CORS Misconfiguration

A CORS misconfiguration in parisneo/lollms-webui allows attackers to steal sensitive information such as logs, browser sessions, and private API keys. This issue affects all versions prior to version 10, which includes the fix.

Available publicly on Oct 15 2024 | Available with Premium on Jul 10 2024

CVE:

CVE-2024-6674

CWE:

346:Origin Validation Error

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Credit:

virusday

Assess Detect

Premium

Remediate

Remediation Steps

Update to version 10 or later of parisneo/lollms-webui.
Ensure that CORS policies are correctly configured to only allow trusted origins.
Regularly review and test CORS configurations to prevent similar vulnerabilities.
Educate users about the risks of visiting untrusted URLs and the importance of keeping software up to date.

Patch Details

Fixed Version: 10
Patch Commit: https://github.com/ParisNeo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.