Lucene search

K
cvelist@huntr_aiCVELIST:CVE-2024-4267
HistoryMay 22, 2024 - 7:29 p.m.

CVE-2024-4267 Remote Code Execution in parisneo/lollms-webui

2024-05-2219:29:56
CWE-77
@huntr_ai
www.cve.org
remote code execution
parisneo/lollms-webui
command injection
improper neutralization
user-supplied paths

8.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.0%

A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the ‘open_file’ module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the ‘open_file’ function. An attacker can exploit this vulnerability by crafting a malicious file path that, when processed by the ‘open_file’ function, executes arbitrary system commands or reads sensitive file content. This issue is present in the code where subprocess.Popen is used unsafely to open files based on user-supplied paths without adequate validation, leading to potential command injection.

CNA Affected

[
  {
    "vendor": "parisneo",
    "product": "parisneo/lollms-webui",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

8.4 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.0004 Low

EPSS

Percentile

9.0%

Related for CVELIST:CVE-2024-4267