CVE-2024-2288 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the profile picture upload functionality of the parisneo/lollms-webui application, specifically affecting versions up to 7.3.0. The vulnerability arises because the application fails to properly verify the origin of requests modifying user profile pictures, allowing attackers to craft malicious web pages that, when visited by authenticated users, trigger unauthorized profile picture changes. This can lead to denial of service by flooding the filesystem with numerous uploaded files, exhausting storage resources. Additionally, the uploaded images can contain malicious payloads that execute stored cross-site scripting (XSS) attacks, enabling attackers to run arbitrary JavaScript in the victim’s browser context. This can compromise user sessions, steal sensitive information, or perform actions on behalf of the user. The vulnerability does not require authentication but does require user interaction (visiting a malicious page). The CVSS v3.0 score is 8.3, reflecting high impact on confidentiality and availability, with low attack complexity. The issue is resolved in version 9.3 of the software. No known exploits are currently reported in the wild. The vulnerability is classified under CWE-352 (CSRF).

For European organizations, exploitation of CVE-2024-2288 could lead to unauthorized modification of user profiles, potentially damaging organizational reputation and user trust. The denial of service aspect could disrupt services by exhausting filesystem resources, impacting availability of the application. The stored XSS component poses a significant risk to confidentiality and integrity by enabling session hijacking, credential theft, or further exploitation within the victim’s browser. Organizations relying on parisneo/lollms-webui for AI or web UI services may face operational disruptions and data breaches. This is particularly critical for sectors handling sensitive data or providing AI services to clients. The requirement for user interaction means phishing or social engineering could be used to trigger attacks, increasing risk in environments with less user security awareness.

The primary mitigation is to upgrade parisneo/lollms-webui to version 9.3 or later, where the vulnerability is fixed. Until upgrade is possible, organizations should implement strict CSRF protections such as anti-CSRF tokens on all state-changing requests, especially the profile picture upload endpoint. Input validation and sanitization should be enforced to prevent malicious payloads in uploaded files. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the upload functionality. User education to avoid clicking on untrusted links can reduce risk of exploitation. Monitoring filesystem usage and upload patterns can help detect abuse attempts early. Additionally, applying Content Security Policy (CSP) headers can mitigate impact of stored XSS by restricting script execution contexts.