CVE-2024-7053

Summary

CVE-2024-7053 is a newly identified vulnerability affecting open-webui version 0.3.8. This issue enables session fixation attacks, allowing an attacker with a standard user account to manipulate administrator sessions. The session cookie, which is not secured with the `Secure` flag and has `SameSite=Lax`, can be transferred over HTTP to a different domain. An attacker can capitalize on this flaw by embedding a malicious markdown image in a chat, causing the admin's session cookie to be sent to the attacker's server. If successful, this vulnerability can result in a stealthy administrator account takeover, potentially escalating to remote code execution (RCE) due to the administrator's elevated privileges.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.