CVE-2024-7043

HIGH Year: 2024
CVSS v3 Score
8.1
High
Weakness Type
CWE-821
View all →

Vulnerability Description

An improper access control vulnerability in open-webui/open-webui v0.3.8 allows attackers to view and delete any files. The application does not verify whether the attacker is an administrator, allowing the attacker to directly call the GET /api/v1/files/ interface to retrieve information on all files uploaded by users, which includes the ID values. The attacker can then use the GET /api/v1/files/{file_id} interface to obtain information on any file and the DELETE /api/v1/files/{file_id} interface to delete any file.

Related Vulnerabilities

CVE-2024-1739

HIGH
CVSS:7.5(High)

lunary-ai/lunary is vulnerable to an authentication issue due to improper validation of email addresses during the signup process. Specifically, the server fails to treat email addresses as case insen...

CWE-8212024

CVE-2024-1902

HIGH
CVSS:7.5(High)

lunary-ai/lunary is vulnerable to a session reuse attack, allowing a removed user to change the organization name without proper authorization. The vulnerability stems from the lack of validation to c...

CWE-8212024

CVE-2022-1931

CRITICAL
CVSS:9.1(Critical)

Incorrect Synchronization in GitHub repository polonel/trudesk prior to 1.2.3.

CWE-8212022

CVE-2023-5088

HIGH
CVSS:7.0(High)

A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for...

CWE-8212023

CVE-2024-6657

MEDIUM
CVSS:6.5(Medium)

A denial of service may be caused to a single peripheral device in a BLE network when multiple central devices continuously connect and disconnect to the peripheral. A hard reset is required to recove...

CWE-8212024

CVE-2022-1931

CRITICAL
CVSS:9.1(Critical)

Incorrect Synchronization in GitHub repository polonel/trudesk prior to 1.2.3.

CWE-8212022