CVE-2024-11302 Information

Description

A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository version V14 allows attackers to add modify and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints among others enabling unauthorized access and manipulation of binding settings without requiring the client_id value.

Reference

https://huntr.com/bounties/e341304b-4651-4de9-b7b9-b89aead3b46e