Remote Code Execution due to Stored XSS in parisneo/lollms

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

LoLLMs 跨站脚本漏洞

LoLLMs是Saifeddine ALOUI个人开发者的一个大型语言多模式系统的 Web UI。 LoLLMs v9.9版本存在跨站脚本漏洞，该漏洞源于允许上传SVG文件，可能导致跨站脚本(XSS)漏洞，进而带来远程代码执行的风险。

N/A

N/A