CVE-2024-8736

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-8736

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-8736.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-8736

Published

2025-03-20T10:15:43Z

Modified

2025-04-04T10:47:00.990432Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading to service unavailability. This vulnerability is present in the /upload_avatar, /upload_app, and /upload_logo endpoints.

References

https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type: GIT
Repo: https://github.com/parisneo/lollms-webui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

da47cb36445a0809e383e586e76353c6975e3498

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

Other

v12

v3.*

v3.0

v3.5

v4.*

v4.0

v5.*

v5.0

v6.*

v6.0

v6.5

v6.5.0

v6.5rc2

v6.7

v7.*

v7.0

v8.*

v8.0

v8.5

v9.*

v9.0

v9.1

v9.2

v9.3

v9.4

v9.5

v9.6

v9.8