CVE-2024-7053 HIGH

CVE-2024-7053: Session Fixation in open-webui/open-webui

Vendor Open-Webui
Product open-webui/open-webui
Weakness CWE-79 · XSS
Published March 20, 2025
Last update March 20, 2025
View on NVD All CVEs

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

A vulnerability in open-webui/open-webui version 0.3.8 allows an attacker with a user-level account to perform a session fixation attack. The session cookie for all users is set with the default `SameSite=Lax` and does not have the `Secure` flag enabled, allowing the session cookie to be sent over HTTP to a cross-origin domain. An attacker can exploit this by embedding a malicious markdown image in a chat, which, when viewed by an administrator, sends the admin's session cookie to the attacker's server. This can lead to a stealthy administrator account takeover, potentially resulting in remote code execution (RCE) due to the elevated privileges of administrator accounts.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-3082 Post SMTP <= 2.5.7 - Unauthenticated Stored Cross-Site Scripting via Email CVE-2026-32450 WordPress Active Products Tables for WooCommerce plugin <= 1.0.7 - Cross Site Scripting (XSS) vulnerability CVE-2024-2968 WP-Eggdrop <= 0.1 - Authenticated (Admin+) Stored Cross-Site Scripting CVE-2025-1613 FiberHome AN5506-01A ONU GPON URL Filtering Submenu URL_filterCfg cross site scripting CVE-2023-33130 Microsoft SharePoint Server Spoofing Vulnerability