Description

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the `/apply_settings` endpoint. Subsequently, arbitrary commands can be executed remotely via the `/execute_code` endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.

INFO

Published Date :

2024-05-16T09:03:47.208Z

Last Modified :

2024-08-01T20:40:46.028Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-4326 vulnerability.

Vendors Products
Lollms
  • Lollms Web Ui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-4326.

URL Resource
https://github.com/parisneo/lollms-webui/commit/abb4c6d495a95a3ef5b114ffc57f85cd650b905e cve-icon cve-icon cve-icon
https://huntr.com/bounties/2ab9f03d-0538-4317-be21-0748a079cbdd cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact