We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-6959

Denial of Service (DOS) in multipart boundary while uploading file in parisneo/lollms-webui



Description

A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Site Request Forgery (CSRF) protection, enabling remote exploitation. The vulnerability leads to service disruption, resource exhaustion, and extended downtime.

Reserved 2024-07-20 | Published 2024-10-13 | Updated 2024-11-03 | Assigner @huntr_ai


HIGH: 7.1CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Problem types

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Any version
affected

References

huntr.com/bounties/6394d32e-f35c-418a-95b8-e7254ed0bc8e

cve.org (CVE-2024-6959)

nvd.nist.gov (CVE-2024-6959)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-6959

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.