Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Access Control via Weak JWT Token in parisneo/lollms
Vulnerability Description
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.
CVSS Information
N/A
Vulnerability Type
访问控制不恰当
Vulnerability Title
LoLLMs 安全漏洞
Vulnerability Description
LoLLMs是Saifeddine ALOUI个人开发者的一个大型语言与多模态系统。 lollms 2.1.0版本存在安全漏洞,该漏洞源于使用弱密钥签署JSON Web Tokens导致访问控制不当,可能导致攻击者执行离线暴力破解以恢复密钥,进而伪造管理令牌并提升权限。
CVSS Information
N/A
Vulnerability Type
N/A