CVE-2024-6674 — HIGH (7.1) — White Hats Nepal

Q: How severe is CVE-2024-6674?

CVE-2024-6674 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-6674?

Check the references section above for vendor advisories and patch information. Affected products include: Lollms Lollms Web Ui.

Vulnerability Description

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue impacts the confidentiality and integrity of the information.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Lollms	Lollms Web Ui	< 10

Related Weaknesses (CWE)

CWE-346

References

https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf9Patch
https://huntr.com/bounties/e688f71b-a3a4-4f6d-b48a-837073fa6908ExploitThird Party Advisory

FAQ

What is CVE-2024-6674?

CVE-2024-6674 is a vulnerability with a CVSS score of 7.1 (HIGH). A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other...

How severe is CVE-2024-6674?

CVE-2024-6674 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-6674?

Check the references section above for vendor advisories and patch information. Affected products include: Lollms Lollms Web Ui.