CVE-2024-9919

HIGH Year: 2024
CVSS v3 Score
8.4
High
Weakness Type
CWE-304
View all →

Vulnerability Description

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.

Related Vulnerabilities

CVE-2024-9216

HIGH
CVSS:8.1(High)

An authentication bypass vulnerability exists in gaizhenbiao/ChuanhuChatGPT, as of commit 3856d4f, allowing any user to read and delete other users' chat history. The vulnerability arises because the ...

CWE-3042024

CVE-2022-1065

HIGH
CVSS:8.8(High)

A vulnerability within the authentication process of Abacus ERP allows a remote attacker to bypass the second authentication factor. This issue affects: Abacus ERP v2022 versions prior to R1 of 2022-0...

CWE-3042022

CVE-2022-40622

HIGH
CVSS:8.8(High)

The WAVLINK Quantum D4G (WN531G3) running firmware version M31G3.V5030.200325 uses IP addresses to hold sessions and does not not use session tokens. Therefore, if an attacker changes their IP address...

CWE-3042022

CVE-2024-11302

HIGH
CVSS:8.0(High)

A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerabilit...

CWE-3042024

CVE-2024-12048

HIGH
CVSS:8.8(High)

An IDOR (Insecure Direct Object Reference) vulnerability exists in transformeroptimus/superagi version v0.0.14. The application fails to properly check authorization for multiple API endpoints, allowi...

CWE-3042024

CVE-2024-12136

HIGH
CVSS:7.8(High)

Missing Critical Step in Authentication vulnerability in Elfatek Elektronics ANKA JPD-00028 allows Authentication Bypass.This issue affects ANKA JPD-00028: through 19.03.2025. NOTE: The vendor did not...

CWE-3042024