Strix
26.1K

CVE-2024-7053

CRITICALCVSS 9/10EPSS 0.66%

Last modified

CVE-2024-7053 is a critical-severity vulnerability rated 9/10 on the CVSS scale. A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cookie to be sent over HTTP to a cross-origin domain. EPSS estimates a 0.66% chance of exploitation in the next 30 days.

Description

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cookie to be sent over HTTP to a cross-origin domain. An attacker can exploit this by embedding a malicious markdown image in a chat, which, when viewed by an administrator, sends the admin's session cookie to the attacker's server. This can lead to a stealthy administrator account takeover, potentially resulting in remote code execution (RCE) due to the elevated privileges of administrator accounts.

Metrics

CVSS 3.1
9/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS 3.0
7.6/10

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

EPSS Probability
0.66%

46.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
OpenwebuiOpen Webui0.3.8

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-7053?
A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cookie to be sent over HTTP to a cross-origin domain. An attacker can exploit this by embedding a malicious markdown image in a chat, which, when viewed by an administrator, sends the admin's session cookie to the attacker's server. This can lead to a stealthy administrator account takeover, potentially resulting in remote code execution (RCE) due to the elevated privileges of administrator accounts.
How severe is CVE-2024-7053?
CVE-2024-7053 has a CVSS score of 9/10 (CRITICAL severity). The EPSS model estimates a 0.66% probability of exploitation in the next 30 days.
How do I fix CVE-2024-7053?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-7053?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST