CVE-2024-24566

Published: Jan 31, 2024Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without proper authorization (without password). This vulnerability is patched in 0.122.4.

Affected (1)

Products: Lobehub: Lobe Chat

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lobehub Lobe Chat	Before 0.122.4

Related CWEs

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (4)

https://github.com/lobehub/lobe-chat/commit/2184167f09ab68e4efa051ee984ea0c4e7c48fbd

Source: security-advisories@github.com

Patch

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-pf55-fj96-xf37

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/lobehub/lobe-chat/commit/2184167f09ab68e4efa051ee984ea0c4e7c48fbd

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-pf55-fj96-xf37

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.