Remote Code Execution Vulnerability in Parisneo/Lollms-Webui
CVE-2024-4326

9.8CRITICAL

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 16 May 2024

Summary

A vulnerability exists in Lollms-Webui by Parisneo, where insufficient protection of the /apply_settings and /execute_code endpoints permits remote attackers to execute arbitrary code. By modifying the host to localhost, attackers can bypass existing security measures, thereby disabling essential code validation through the /apply_settings endpoint. Following this, they can exploit the /execute_code endpoint to run arbitrary commands remotely due to a delay in the enforcement of settings. This significant security issue was remedied in version 9.5 to prevent unauthorized code execution.

Affected Version(s)

parisneo/lollms-webui < 9.5

References

https://huntr.com/bounties/2ab9f03d-0538-4317-be21-0748a0...

https://github.com/parisneo/lollms-webui/commit/abb4c6d49...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 29, 2024

Collectors

NVD DatabaseMitre Database