Remote Code Execution Vulnerability in Parisneo/Lollms-Webui

CVE-2024-4326

9.8CRITICAL

Key Information

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 16 May 2024

Summary

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the `/apply_settings` endpoint. Subsequently, arbitrary commands can be executed remotely via the `/execute_code` endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.

Affected Version(s)

parisneo/lollms-webui < 9.5

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 9.8 - (CRITICAL)
May 16, 2024
Vulnerability published.
May 16, 2024
Vulnerability Reserved.
Apr 29, 2024

Collectors

NVD DatabaseMitre Database