Remote Code Execution Vulnerability in Parisneo's Lollms-Webui
CVE-2024-4267

9.8CRITICAL

Key Information:

Vendor: parisneo
Status: Lollms-webui
Vendor: CVE Published:; 22 May 2024

What is CVE-2024-4267?

A remote code execution vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module. The vulnerability is triggered by improper handling of user-supplied file paths in the 'open_file' function, which can lead to the execution of arbitrary system commands. This occurs due to the unsafe usage of subprocess.Popen without sufficient validation, enabling an attacker to craft a malicious file path that compromises system integrity by executing unintended commands or reading sensitive content.

References

https://huntr.com/bounties/5a127724-cc13-4ea6-b81f-41546a...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 22, 2024

JSON