Path Traversal and OS Command Injection Vulnerability in Parisneo's Lollms Web UI
CVE-2024-10019

6.3MEDIUM

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 20 March 2025

What is CVE-2024-10019?

A vulnerability exists in the 'start_app_server' function of Parisneo's Lollms Web UI V12 (Strawberry) that permits attackers to execute arbitrary code via path traversal and OS command injection. The vulnerability arises because the function inadequately sanitizes the 'app_name' parameter, allowing a malicious user to upload a compromised 'server.py' file. This exploitation can lead to severe security implications, as attackers gain the ability to execute unauthorized commands on the server.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/3cf80890-2d8a-4fc7-8e0e-6d4bf6...

CVSS V3.0

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Oct 16, 2024