CVE-2024-6040: 120 is being updated in the LTC (Long Term Support Candidate) channel, version 1200.6099.301 (Platform Version: 15662.96.0), for most ChromeOS devices.

Published Mar 11, 2024
·
Updated

In parisneo/lollms-webui version v9.8, the lollmsbindinginfos is missing the clientid parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reloadbinding, /installbinding, /reinstallbinding, /unInstallbinding, /setactivebindingsettings, and /updatebindingsettings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

Affected Software

3 affected components
Google ChromeOS
parisneo lollms-webui
lollms Lollms Web Ui=9.8

Event History

Mar 11, 2024
CVE Published
12:00 AM
Data Sourced
12:00 AM
SeverityWeakness
Aug 1, 2024
CVE Published
via MITRE·03:32 PM
Data Sourced
via MITRE·03:32 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·04:15 PM
DescriptionSeverityWeaknessAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Peer vulnerabilities

Found alongside the following vulnerabilities.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-6040?

CVE-2024-6040 is considered to have multiple security vulnerabilities due to the missing client_id parameter.

2

How do I fix CVE-2024-6040?

To fix CVE-2024-6040, ensure that the client_id parameter is included in the lollms_binding_infos configuration.

3

Which software is affected by CVE-2024-6040?

CVE-2024-6040 affects the pariso lollms-webui version v9.8 and Google ChromeOS.

4

What endpoints are vulnerable in CVE-2024-6040?

The vulnerable endpoints in CVE-2024-6040 include /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, and /set_active_binding_settings.

5

What are the potential impacts of CVE-2024-6040?

The lack of the client_id parameter in CVE-2024-6040 may lead to unauthorized access and other security issues.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203