Missing Critical Step in Authentication

CVE-2024-11302

High

8/10

Summary

A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints, among others, enabling unauthorized access and manipulation of binding settings without requiring the client_id value.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: HIGH

CWE-304 - Missing Critical Step in Authentication

The software implements an authentication technique, but it skips a step that weakens the technique.

References

Advisory Timeline

Published Mar 20, 2025

Missing Critical Step in Authentication

CVE-2024-11302

Summary

CWE-304 - Missing Critical Step in Authentication

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS