CVE-2024-8736

Exploit

EPSS 0.07%
Veröffentlicht 20.03.2025 10:11:17
Zuletzt bearbeitet 04.04.2025 09:15:16
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading to service unavailability. This vulnerability is present in the `/upload_avatar`, `/upload_app`, and `/upload_logo` endpoints.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lollms ≫ Lollms Web Ui Version12

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.21

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
security@huntr.dev	7.1	2.8	4.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-8736

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8736

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8736

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-8736