CVE-2024-8736

Medium CVSS: 6.5

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading to service unavailability. This vulnerability is present in the `/upload_avatar`, `/upload_app`, and `/upload_logo` endpoints.

Vendor

Lollms

Product

Lollms Web Ui

CWE

CWE-352

Yayın Tarihi

2025-03-20 10:15:43

Güncelleme

2025-04-04 09:15:16

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-352 Lollms Web Ui MEDIUM Lollms 2025

Referanslar

https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f

Benzer Kayıtlar

High

CVE-2026-0560

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in th…

High

CVE-2026-0562

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or rej…

Critical

CVE-2026-0558

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and proces…

High

CVE-2025-1451

A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads.…

High

CVE-2024-9919

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauth…

High

CVE-2024-9920

In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions,…