CVE-2024-2288 HIGH

CVE-2024-2288: CSRF File Upload Vulnerability in parisneo/lollms-webui

Vendor Parisneo
Product parisneo/lollms-webui
Weakness CWE-352 · CSRF
Published June 6, 2024
Last update October 15, 2025
View on NVD All CVEs

CVSS base score

8.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

What the vulnerability does

01Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by overloading the filesystem with files. Additionally, this flaw can be exploited to perform a stored cross-site scripting (XSS) attack, enabling attackers to execute arbitrary JavaScript in the context of the victim's browser session. The issue is resolved in version 9.3.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
October 15, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-30534 WordPress Image Captcha plugin <= 1.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability CVE-2023-39372 StarTrinity Softswitch version 2023-02-16 - multiple CSRF (CWE-352) CVE-2025-31068 WordPress Seven Stars <= 1.4.4 - Cross Site Request Forgery (CSRF) Vulnerability CVE-2025-58818 WordPress Developer Tools Blocker Plugin <= 3.2.1 - Cross Site Request Forgery (CSRF) Vulnerability CVE-2023-0438 Cross-Site Request Forgery (CSRF) in modoboa/modoboa