CVE-2024-8017

Critical CVSS 9.0

Overview

An XSS vulnerability exists in open-webui/open-webui versions <= 0.3.8, specifically in the function that constructs the HTML for tooltips. This vulnerability allows attackers to perform operations with the victim's privileges, such as stealing chat history, deleting chats, and escalating their own account to an admin if the victim is an admin.

CWE: CWE-79 Published: 2025-03-20T10:15:38.763

Risk analysis

This vulnerability is rated 🔴 CRITICAL.

CVSS: 9.0 (CRITICAL)
Detected tags: xss (tag impact: MODERATE)

Recommended actions:

Apply context-aware output encoding.
Enable Content-Security-Policy and HttpOnly/SameSite cookies.

Overview

Recommended tools

Tags