What is the severity of CVE-2024-6581?

CVE-2024-6581 is classified as a high-severity vulnerability due to its potential for cross-site scripting (XSS) attacks.

How do I fix CVE-2024-6581?

To mitigate CVE-2024-6581, ensure that the sanitize_svg function properly filters SVG uploads to prevent XSS vulnerabilities.

Which versions of Lollms are affected by CVE-2024-6581?

CVE-2024-6581 affects Lollms version 9.9 and earlier versions up to 9.5.1.

What type of vulnerability is CVE-2024-6581?

CVE-2024-6581 is a cross-site scripting (XSS) vulnerability resulting from inadequate SVG file filtration.

Is there a patch available for CVE-2024-6581?

As of now, a patch for CVE-2024-6581 has not been explicitly mentioned, so users should implement code changes to sanitize SVG uploads.

Vulnerability/
CVE-2024-6581

critical

CWE

29/10/2024

4/11/2024

CVE-2024-6581: Remote Code Execution due to Stored XSS in parisneo/lollms

First published: Tue Oct 29 2024(Updated: )

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

Credit: security@huntr.dev security@huntr.dev

Affected Software	Affected Version	How to fix
pip/lollms	<=9.5.1
Lollms	=9.9

Remedy

https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-6581?
CVE-2024-6581 is classified as a high-severity vulnerability due to its potential for cross-site scripting (XSS) attacks.
How do I fix CVE-2024-6581?
To mitigate CVE-2024-6581, ensure that the sanitize_svg function properly filters SVG uploads to prevent XSS vulnerabilities.
Which versions of Lollms are affected by CVE-2024-6581?
CVE-2024-6581 affects Lollms version 9.9 and earlier versions up to 9.5.1.
What type of vulnerability is CVE-2024-6581?
CVE-2024-6581 is a cross-site scripting (XSS) vulnerability resulting from inadequate SVG file filtration.
Is there a patch available for CVE-2024-6581?
As of now, a patch for CVE-2024-6581 has not been explicitly mentioned, so users should implement code changes to sanitize SVG uploads.

agent/weakness
agent/title
agent/description
agent/type
agent/first-publish-date
agent/remedy
agent/severity
agent/softwarecombine
agent/event
agent/author
collector/mitre-cve
source/MITRE
collector/github-advisory-latest
source/GitHub
alias/GHSA-cm59-8rmv-f2cj
alias/CVE-2024-6581
agent/software-canonical-lookup
agent/last-modified-date
agent/references
collector/github-advisory
agent/trending
agent/source
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
package-manager/pip
vendor/lollms
canonical/lollms
version/lollms/9.9

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.