@huntr_aiCVE-2024-4326CVE-2024-4326
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%
A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the /apply_settings and /execute_code endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the /apply_settings endpoint. Subsequently, arbitrary commands can be executed remotely via the /execute_code endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| parisneo | lollms_web_ui | 9.5 | cpe:2.3:a:parisneo:lollms_web_ui:9.5:*:*:*:*:*:*:* |
CNA Affected
[
{
"vendor": "parisneo",
"product": "parisneo/lollms-webui",
"versions": [
{
"version": "unspecified",
"lessThan": "9.5",
"status": "affected",
"versionType": "custom"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
9.0%