CVE-2024-8736

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By appending additional characters to the multipart boundary, an attacker can cause the server to parse each byte of the boundary, ultimately leading to service unavailability. This vulnerability is present in the `/upload_avatar`, `/upload_app`, and `/upload_logo` endpoints.

CVSS v3.0 6.5 MEDIUM

6.5^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f	Exploit
https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:12:*:*:*:*:*:*:*

History

01 Apr 2025, 20:31

Type	Values Removed	Values Added
References	~~() https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f -~~	() https://huntr.com/bounties/935dbc03-1b43-4dbb-b6cd-1aa95a789d4f - Exploit
First Time		Lollms Lollms lollms Web Ui
CWE		CWE-352
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:lollms:lollms_web_ui:12:::::::*

20 Mar 2025, 16:15

Type	Values Removed	Values Added
CWE	~~CWE-400~~

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-04 09:15

NVD link : CVE-2024-8736

Mitre link : CVE-2024-8736

JSON object : View

Products Affected

lollms

lollms_web_ui

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

6.5 /10