Command Injection Vulnerability in lollms-webui Could Lead to Remote Code Execution
CVE-2024-3126

8.4HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 16 May 2024

Summary

A command injection vulnerability in the 'run_xtts_api_server' function of parisneo’s lollms-webui application poses a significant security risk. This issue originates from the failure to properly neutralize special elements in an operating system command. By leveraging the 'subprocess.Popen' method in the 'lollms_xtts.py' script, the vulnerable function constructs a command using an unfiltered Python f-string that incorporates user-supplied input from the 'xtts_base_url' parameter. Without adequate input sanitization, attackers may exploit this flaw to execute arbitrary commands on the host system. This susceptibility affects all versions of the lollms-webui application up to and including version 9.5, potentially leading to serious security breaches and the remote execution of malicious code.

Affected Version(s)

parisneo/lollms-webui < 9.5

References

https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e...

https://github.com/parisneo/lollms-webui/commit/41dbb1b3f...

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 1, 2024