CVE-2024-7040

MEDIUM Year: 2024
CVSS v3 Score
4.9
Medium
Weakness Type
CWE-284
View all →

Vulnerability Description

In version v0.3.8 of open-webui/open-webui, there is an improper access control vulnerability. On the frontend admin page, administrators are intended to view only the chats of non-admin members. However, by modifying the user_id parameter, it is possible to view the chats of any administrator, including those of other admin (owner) accounts.

Related Vulnerabilities

CVE-2016-0731

MEDIUM
CVSS:4.9(Medium)

The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration.

CWE-2842016

CVE-2021-27653

MEDIUM
CVSS:4.9(Medium)

Misconfiguration of the Pega Chat Access Group portal in Pega platform 7.4.0 - 8.5.x could lead to unintended data exposure.

CWE-2842021

CVE-2021-40130

MEDIUM
CVSS:4.9(Medium)

A vulnerability in the web application of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to specify non-log files as sources for syslog reporting. This v...

CWE-2842021

CVE-2021-45730

MEDIUM
CVSS:4.9(Medium)

JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should onl...

CWE-2842021

CVE-2022-2088

MEDIUM
CVSS:4.9(Medium)

An authenticated user with admin privileges may be able to terminate any process on the system running Elcomplus SmartICS v2.3.4.0.

CWE-2842022

CVE-2022-31708

MEDIUM
CVSS:4.9(Medium)

vRealize Operations (vROps) contains a broken access control vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.4...

CWE-2842022