CVE-2024-7990: Stored Cross-Site Scripting in open-webui/open-webui
Description
A stored cross-site scripting (XSS) vulnerability exists in open-webui/open-webui version 0.3.8. The vulnerability is present in the `/api/v1/models/add` endpoint, where the model description field is improperly sanitized before being rendered in chat. This allows an attacker to inject malicious scripts that can be executed by any user, including administrators, potentially leading to arbitrary code execution.
Classification
CVE ID: CVE-2024-7990
CVSS Base Severity: HIGH
CVSS Base Score: 8.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H
Problem Types
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Affected Products
Vendor: open-webui
Product: open-webui/open-webui
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.05% (probability of being exploited)
EPSS Percentile: 14.22% (scored less or equal to compared to others)
EPSS Date: 2025-04-18 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2024-7990https://huntr.com/bounties/2256e336-0f67-449e-a82d-7fc57081a21c