CVE-2024-2299 in lollms-webui
Summary
by MITRE • 05/14/2024
A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability is remotely exploitable via Cross-Site Request Forgery (CSRF), allowing attackers to perform actions on behalf of authenticated users and potentially leading to unauthorized access to sensitive information within the Lollms-webui application.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/09/2025
The stored cross-site scripting vulnerability identified as CVE-2024-2299 represents a critical security flaw within the parisneo/lollms-webui application that fundamentally undermines user safety and application integrity. This vulnerability specifically targets the profile picture upload functionality, creating a persistent threat vector that allows attackers to inject malicious code into the application's storage system. The flaw stems from inadequate input validation mechanisms that fail to properly sanitize or restrict file types during the upload process, enabling the execution of arbitrary JavaScript code within the context of authenticated user sessions.
The technical implementation of this vulnerability follows a well-established attack pattern that combines file upload restrictions bypass with persistent XSS exploitation. When users upload profile pictures through the application's interface, the system does not adequately validate the content or file extensions of uploaded files, particularly HTML files that may contain embedded script tags. The vulnerability is further amplified by the application's failure to properly sanitize file content, allowing attackers to store malicious payloads that persist within the application's file system. This stored nature of the vulnerability means that once a malicious file is uploaded and processed, it remains active and executable whenever the file is accessed or displayed within the application's interface.
The operational impact of CVE-2024-2299 extends beyond simple code execution, as it creates a persistent backdoor for attackers to perform unauthorized actions within the application's context. The remote exploitability via cross-site request forgery significantly increases the attack surface, allowing threat actors to leverage authenticated sessions without requiring direct user interaction. This combination of stored XSS and CSRF capabilities enables attackers to perform actions such as reading sensitive user data, modifying user permissions, or even establishing persistent access to the application. The vulnerability directly maps to CWE-79 which defines cross-site scripting as a critical weakness in web applications, and aligns with ATT&CK technique T1566.001 for initial access through spearphishing attachments, demonstrating how the vulnerability can be weaponized in real-world attack scenarios.
The security implications of this vulnerability are particularly concerning given that it affects a core user management feature that handles profile data. Attackers can craft malicious HTML files containing JavaScript payloads that execute when the profile picture is rendered, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized operations within the application. The CSRF component of the exploit allows attackers to leverage legitimate user sessions, making detection more difficult and increasing the potential for successful attacks. Organizations using the lollms-webui application should implement immediate mitigations including strict file type validation, content sanitization of uploaded files, and implementation of proper CSRF tokens for all file upload operations. Additionally, the application should enforce proper content security policies and consider implementing file integrity checks to prevent execution of malicious content stored within the application's file system, aligning with industry best practices for web application security and defense in depth strategies.