Remote Code Execution Vulnerability in Parisneo/Lollms-Webui
CVE-2024-2359

9.8CRITICAL

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 6 June 2024

Summary

A vulnerability in the Parisneo Lollms Web UI version 9.3 has been identified, allowing attackers to bypass intended access restrictions and execute arbitrary code. This issue stems from the misconfiguration in handling the /execute_code endpoint, which should be protected from external access. Attackers can exploit the poorly secured /update_setting endpoint to alter the runtime host configuration. By directing the host setting to malicious values, they can circumvent the defenses surrounding the /execute_code endpoint, resulting in unauthorized remote code execution. This situation arises due to improper neutralization of special elements used within OS commands, highlighting critical gaps in the application's security measures.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/62144831-8d4b-4cf2-9737-5e559f...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Mar 9, 2024

Collectors

NVD DatabaseMitre Database