CVE-2024-7806

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-7806
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-7806.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-7806
Aliases
Published
2025-03-20T10:15:37Z
Modified
2025-03-27T01:48:48.325318Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

A vulnerability in open-webui/open-webui versions <= 0.3.8 allows remote code execution by non-admin users via Cross-Site Request Forgery (CSRF). The application uses cookies with the SameSite attribute set to lax for authentication and lacks CSRF tokens. This allows an attacker to craft a malicious HTML that, when accessed by a victim, can modify the Python code of an existing pipeline and execute arbitrary code with the victim's privileges.

References

Affected packages

Git / github.com/open-webui/open-webui

Affected ranges

Type
GIT
Repo
https://github.com/open-webui/open-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

v0.*

v0.1.102
v0.1.103
v0.1.104
v0.1.105
v0.1.106
v0.1.107
v0.1.108
v0.1.109
v0.1.110
v0.1.111
v0.1.112
v0.1.113
v0.1.114
v0.1.115
v0.1.116
v0.1.117
v0.1.118
v0.1.119
v0.1.120
v0.1.121
v0.1.122
v0.1.123
v0.1.124
v0.1.125
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8