CVE-2024-7806

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-7806

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-7806.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-7806

Aliases

GHSA-85jc-8h5p-8vw8

Published

2025-03-20T10:15:37Z

Modified

2025-03-27T01:48:48.325318Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

References

https://huntr.com/bounties/9350a68d-5f33-4b3d-988b-81e778160ab8

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type: GIT
Repo: https://github.com/open-webui/open-webui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

9bcd4ce5c0a01af68c0d2aa44554a68bb741c61b

Affected versions

v0.*

v0.1.102

v0.1.103

v0.1.104

v0.1.105

v0.1.106

v0.1.107

v0.1.108

v0.1.109

v0.1.110

v0.1.111

v0.1.112

v0.1.113

v0.1.114

v0.1.115

v0.1.116

v0.1.117

v0.1.118

v0.1.119

v0.1.120

v0.1.121

v0.1.122

v0.1.123

v0.1.124

v0.1.125

v0.2.0

v0.2.1

v0.2.2

v0.2.3

v0.2.4

v0.2.5

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.3.6

v0.3.7

v0.3.8