Strix
26.1K

CVE-2024-5125

HIGHCVSS 7.3/10EPSS 0.31%

Last modified

CVE-2024-5125 is a high-severity vulnerability rated 7.3/10 on the CVSS scale. parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. EPSS estimates a 0.31% chance of exploitation in the next 30 days.

Description

parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module.

Metrics

CVSS 3.1
7.3/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H

EPSS Probability
0.31%

22.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
LollmsLollms-Webui9.6

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-5125?
parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upon rendering, leading to potential credential theft and unauthorized data access. The Open Redirect vulnerability arises from insufficient URL validation within SVG files, enabling attackers to redirect users to malicious websites, thereby exposing them to phishing attacks, malware distribution, and reputation damage. These vulnerabilities are present in the application's functionality to send files to the AI module.
How severe is CVE-2024-5125?
CVE-2024-5125 has a CVSS score of 7.3/10 (HIGH severity). The EPSS model estimates a 0.31% probability of exploitation in the next 30 days.
How do I fix CVE-2024-5125?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-5125?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST