CVE-2024-5482 HIGH

CVE-2024-5482: SSRF in add_webpage endpoint in parisneo/lollms-webui

Vendor Parisneo
Product parisneo/lollms-webui
Weakness CWE-918 · SSRF
Published June 6, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

7.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to input arbitrary URLs, including those that target internal resources such as 'localhost' or '127.0.0.1'. This flaw enables attackers to make unauthorized requests to internal or external systems, potentially leading to access to sensitive data, service disruption, network integrity compromise, business logic manipulation, and abuse of third-party resources. The issue is critical and requires immediate attention to maintain the application's security and integrity.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-24150 Like Button Rating < 2.6.32 - Unauthenticated Full-Read SSRF CVE-2025-8228 yanyutao0402 ChanCMS getPages server-side request forgery CVE-2026-1313 MimeTypes Link Icons <= 3.2.20 - Authenticated (Contributor+) Server-Side Request Forgery via Crafted Links in Post Content CVE-2025-11648 Tomofun Furbo 360/Furbo Mini GATT Interface URL TF_FQDN.json server-side request forgery CVE-2026-44430 MCP Registry: Unauthenticated SSRF: HTTP namespace verification dials 6to4 / NAT64 / site-local IPv6 addresses, bypassing private-address allowlist