How severe is CVE-2024-6040?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.4 out of 10.

What type of vulnerability is CVE-2024-6040?

This is classified as CWE-304, which is a common weakness in software security.

CVE-2024-6040 - MEDIUM Severity | CVSS 4.4

Vulnerability Description

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

Related Vulnerabilities

CVE-2011-3172

CRITICAL

CVSS:9.8(Critical)

A vulnerability in pam_modules of SUSE Linux Enterprise allows attackers to log into accounts that should have been disabled. Affected releases are SUSE Linux Enterprise: versions prior to 12.

CWE-3042011

CVE-2022-2302

CRITICAL

CVSS:9.8(Critical)

Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowle...

CWE-3042022

CVE-2022-2821

CRITICAL

CVSS:9.8(Critical)

Missing Critical Step in Authentication in GitHub repository namelessmc/nameless prior to v2.0.2.

CWE-3042022

CVE-2024-45764

CRITICAL

CVSS:9.8(Critical)

Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) a Missing Critical Step in Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vul...

CWE-3042024

CVE-2024-8954

CRITICAL

CVSS:9.8(Critical)

In composiohq/composio version 0.5.10, the API does not validate the `x-api-key` header's value during the authentication step. This vulnerability allows an attacker to bypass authentication by provid...

CWE-3042024

CVE-2022-1065

HIGH

CVSS:8.8(High)

A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-0...

CWE-3042022