CVE-2024-2299

A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potentially leading to unauthorized access to sensitive information within the Lollms-webui application.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4ecba398	Exploit Third Party Advisory Issue Tracking Patch
https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4ecba398	Exploit Third Party Advisory Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*

History

09 Jul 2025, 14:41

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4ecba398 -~~	() https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4ecba398 - Exploit, Third Party Advisory, Issue Tracking, Patch
First Time		Lollms lollms Web Ui Lollms
CVSS	v2 : ~~unknown~~ v3 : ~~7.4~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:lollms:lollms_web_ui::::::::

Information

Published : 2024-05-14 15:18

Updated : 2025-07-09 14:41

NVD link : CVE-2024-2299

Mitre link : CVE-2024-2299

CVE.ORG link : CVE-2024-2299

JSON object : View

Products Affected

lollms

lollms_web_ui

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-2299", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-05-14T15:18:47.760", "references": [{"url": "https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4ecba398", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking", "Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/f1adaac0-b9ed-4093-a0f3-2d0a4ecba398", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking", "Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potentially leading to unauthorized access to sensitive information within the Lollms-webui application."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross Site Scripting (XSS) almacenado en la aplicaci\u00f3n parisneo/lollms-webui debido a una validaci\u00f3n incorrecta de los archivos cargados en la funcionalidad de carga de im\u00e1genes de perfil. Los atacantes pueden aprovechar esta vulnerabilidad cargando archivos HTML maliciosos que contienen c\u00f3digo JavaScript, que se ejecuta cuando se accede al archivo. Esta vulnerabilidad se puede explotar de forma remota mediante Cross-Site Request Forgery (CSRF), lo que permite a los atacantes realizar acciones en nombre de usuarios autenticados y potencialmente conducir a un acceso no autorizado a informaci\u00f3n confidencial dentro de la aplicaci\u00f3n Lollms-webui."}], "lastModified": "2025-07-09T14:41:13.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7DA38B5-6496-47C5-88AF-17C4AF269B59", "versionEndExcluding": "9.5"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}