Description

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the `/execute_code` endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the application, including the handling of user input and model output.

INFO

Published Date :

2024-04-10T17:08:02.423Z

Last Modified :

2024-08-01T18:48:21.887Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-1602 vulnerability.

Vendors Products
Lollms
  • Lollms Web Ui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-1602.

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact