Description

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

INFO

Published Date :

2024-10-29T12:49:01.555Z

Last Modified :

2024-10-29T13:24:02.586Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-6581 vulnerability.

Vendors Products
Lollms
  • Lord Of Large Language Models
Parisneo
  • Lollms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-6581.

URL Resource
https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd cve-icon cve-icon
https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact