Path Traversal and OS Command Injection Vulnerability in Parisneo's Lollms Web UI
CVE-2024-10019

6.3MEDIUM

Key Information:

Vendor
Parisneo
Status
Parisneo/lollms-webui
Vendor
CVE Published:
20 March 2025

Summary

A vulnerability exists in the 'start_app_server' function of Parisneo's Lollms Web UI V12 (Strawberry) that permits attackers to execute arbitrary code via path traversal and OS command injection. The vulnerability arises because the function inadequately sanitizes the 'app_name' parameter, allowing a malicious user to upload a compromised 'server.py' file. This exploitation can lead to severe security implications, as attackers gain the ability to execute unauthorized commands on the server.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/3cf80890-2d8a-4fc7-8e0e-6d4bf6...

CVSS V3.0

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-10019 : Path Traversal and OS Command Injection Vulnerability in Parisneo's Lollms Web UI | SecurityVulnerability.io