Login Sign Up

CVE-2024-6674

7.1 HIGH
Authentication Bypass

📋 TL;DR

A CORS misconfiguration in lollms-webui allows attackers to steal sensitive information like logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of users, such as deleting projects or sending messages. All users running lollms-webui versions prior to 10 are affected.

💻 Affected Systems

Products:
  • parisneo/lollms-webui
Versions: All versions prior to 10
Operating Systems: all
Default Config Vulnerable: ⚠️ Yes
Notes: Any deployment with CORS misconfiguration is vulnerable regardless of OS or infrastructure.

📦 What is this software?

Lollms Web Ui by Lollms

View all CVEs affecting Lollms Web Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of user accounts, theft of all sensitive data including API keys, unauthorized deletion of projects, and impersonation of users across integrated services.

🟠

Likely Case

Theft of session data and API keys leading to unauthorized access to integrated services, potential data exfiltration, and limited unauthorized actions within the webui.

🟢

If Mitigated

Minimal impact with proper CORS policies, network segmentation, and API key rotation limiting exposure to only publicly accessible data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires attacker to lure victim to malicious site; no authentication needed to exploit CORS misconfiguration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10

Vendor Advisory: https://github.com/parisneo/lollms-webui/commit/c1bb1ad19752aa7541675b398495eaf98fd589f1

Restart Required: Yes

Instructions:

1. Update to version 10 or later. 2. Restart the lollms-webui service. 3. Verify CORS headers are properly configured.

🔧 Temporary Workarounds

Manual CORS Configuration

all

Manually configure proper CORS headers to restrict cross-origin requests

Edit CORS configuration in lollms-webui settings to restrict origins

Reverse Proxy CORS Control

linux

Use reverse proxy (nginx/apache) to enforce proper CORS headers

Add 'add_header Access-Control-Allow-Origin' with specific origins in nginx config

🧯 If You Can't Patch

  • Implement strict CORS policies via reverse proxy or application firewall
  • Isolate lollms-webui behind VPN or internal network only

🔍 How to Verify

Check if Vulnerable:

Check if Access-Control-Allow-Origin header is set to '*' or overly permissive values

Check Version:

Check lollms-webui version in web interface or package manager

Verify Fix Applied:

Verify CORS headers restrict origins appropriately and version is 10+

📡 Detection & Monitoring

Log Indicators:

  • Unusual cross-origin requests
  • Multiple failed CORS preflight requests
  • Unexpected API key usage

Network Indicators:

  • Suspicious cross-origin requests to sensitive endpoints
  • Unexpected OPTIONS requests

SIEM Query:

source="webui" AND (uri="/api/*" OR uri="/logs/*") AND referer NOT IN allowed_domains

📊 Metadata

CVE ID: CVE-2024-6674
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
CWE: CWE-346
Published: October 29, 2024
Last Updated: November 1, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6674, you might also want to check these:

CVE-2023-25366 9.8

This vulnerability in Siglent SDS oscilloscopes allows attackers to retrieve the web interface passw...

Same vulnerability type (CWE-346)
CVE-2024-8487 9.8

This CVE describes a Cross-Origin Resource Sharing (CORS) misconfiguration in modelscope/agentscope ...

Same vulnerability type (CWE-346)
CVE-2026-2790 9.8

This CVE describes a same-origin policy bypass vulnerability in Firefox's JAR (Java Archive) network...

Same vulnerability type (CWE-346)