CVE-2024-8736 Information

Description

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads the application still processes multipart boundaries leading to resource exhaustion. By appending additional characters to the multipart boundary an attacker can cause the server to parse each byte of the boundary ultimately leading to service unavailability. This vulnerability is present in the /upload_avatar /upload_app and /upload_logo endpoints.

Reference

https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f