CVE-2024-6040 Information

Description

In parisneo/lollms-webui version v9.8 the lollms_binding_infos is missing the client_id parameter which leads to multiple security vulnerabilities. Specifically the endpoints /reload_binding /install_binding /reinstall_binding /unInstall_binding /set_active_binding_settings and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim’s machine.

Reference

https://huntr.com/bounties/ac0bbb1d-89aa-42ba-bc48-1b59bd16acc7