← Back to CVE List

CVE-2024-12766

Published: 2025-03-20T10:15Z
Last Modified: 2025-03-20T14:15Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter `{"url":"http://steal.target"}`. Existing security mechanisms such as `forbid_remote_access(lollmsElfServer)`, `lollmsElfServer.config.headless_server_mode`, and `check_access(lollmsElfServer, request.client_id)` do not protect against this vulnerability. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt