Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2024-6581

MEDIUM
Published 2024-10-29T12:49:01.555Z
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-6581. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.0
6.5
/10
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.003
probability
of exploitation in the wild

There is a 0.3% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.554
Higher than 55.4% of all CVEs

Attack Vector Metrics

Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED

Impact Metrics

Confidentiality
LOW
Integrity
LOW
Availability
LOW

Description

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

parisneo

parisneo/lollms

Affected Versions:

unspecified
parisneo

lollms

Affected Versions:

0

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Lollms vulnerable to Cross-site Scripting

GHSA-cm59-8rmv-f2cj

Advisory Details

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

Affected Packages

PyPI lollms
ECOSYSTEM: ≥0 ≤9.5.1

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-6581
WEB https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd
PACKAGE https://github.com/parisneo/lollms
WEB https://github.com/pypa/advisory-database/tree/main/vulns/lollms/PYSEC-2024-116.yaml
WEB https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7

Advisory provided by GitHub Security Advisory Database. Published: October 29, 2024, Modified: November 4, 2024

References

https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7
https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd
Published: 2024-10-29T12:49:01.555Z
Last Modified: 2024-10-29T13:24:02.586Z
Copied to clipboard!