CVE-2024-8017: Cross-site Scripting (XSS) in open-webui/open-webui
First published: Thu Mar 20 2025(Updated: )
An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and escalating their own account to an admin if the victim is an admin.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| open-webui | <=0.3.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-8017?
CVE-2024-8017 is classified as a medium severity vulnerability due to its potential to allow an attacker to execute actions with the victim's privileges.
How do I fix CVE-2024-8017?
To fix CVE-2024-8017, upgrade open-webui to version 0.3.9 or later where the vulnerability has been addressed.
What types of attacks can CVE-2024-8017 enable?
CVE-2024-8017 can enable attacks such as stealing chat history and deleting chats by exploiting the XSS vulnerability.
Which versions of open-webui are affected by CVE-2024-8017?
CVE-2024-8017 affects open-webui versions 0.3.8 and earlier.
What is the root cause of CVE-2024-8017?
The root cause of CVE-2024-8017 is an inadequate sanitization process in the tooltip HTML construction function, leading to XSS vulnerabilities.
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/weakness
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/severity
- agent/source
- agent/tags
- agent/event
- vendor/open-webui
- canonical/open-webui