CVE-2024-4267 Remote Code Execution in parisneo/lollms-webui

A remote code execution RCE vulnerability exists in the parisneo/lollms-webui, specifically within the 'openfile' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'openfile' function. An attacker can exploit this...

The vulnerability of the download_file_stream() function (backend/apps/web/routers/utils.py) in the AI-based web interface Open WebUI (previously Ollama WebUI) allows a attacker to perform an SSRF attack.

The vulnerability of the downloadfilestream function located in backend/apps/web/routers/utils.py of the Open WebUI formerly Ollama WebUI AI-based web interface is related to the manipulation of requests on the server-side during the processing of the url parameter. Exploiting this vulnerability...

openSUSE 15 Security Update : opera (openSUSE-SU-2024:0128-1)

The remote openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2024:0128-1 advisory. - Object corruption in V8 in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to potentially exploit object corruption via a crafte...

CVE-2024-3435

A path traversal vulnerability exists in the 'savesettings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'applysettings' function, allowing an...

CVE-2024-3435

A path traversal vulnerability exists in the 'savesettings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'applysettings' function, allowing an...

CVE-2024-2366

A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstallbinding functionality in lollmscore/lollms/server/endpoints/lollmsbindinginfos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing...

CVE-2024-2361

A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the installmodel function within lollmscore/lollms/binding.py, where the application fails to properly sanitize the...

CVE-2024-2361

A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the installmodel function within lollmscore/lollms/binding.py, where the application fails to properly sanitize the...

CVE-2024-2358

A path traversal vulnerability in the '/applysettings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the 'extensions' parameter...

CVE-2024-2361

CVE-2024-2361 affects parisneo/lollms-webui. The vulnerability resides in the install_model() function of lollms_core/lollms/binding.py, where improper sanitization of the file:// protocol and other inputs enables path traversal. Attackers can manipulate the path and variant_name parameters to re...

CVE-2024-2361 Arbitrary Upload & Read via Path Traversal in parisneo/lollms-webui

A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the installmodel function within lollmscore/lollms/binding.py, where the application fails to properly sanitize the...

CVE-2024-2361 Arbitrary Upload & Read via Path Traversal in parisneo/lollms-webui

A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the installmodel function within lollmscore/lollms/binding.py, where the application fails to properly sanitize the...

CVE-2024-2366

The CVE-2024-2366 issue affects parisneo/lollms-webui, specifically the reinstall_binding function in lollms_core/lollms/server/endpoints/lollms_binding_infos.py. It arises from insufficient path sanitization, enabling path traversal to arbitrary directories. An attacker can set binding_path to a...

CVE-2024-2366 Remote Code Execution in parisneo/lollms-webui

A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstallbinding functionality in lollmscore/lollms/server/endpoints/lollmsbindinginfos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing...

CVE-2024-2366 Remote Code Execution in parisneo/lollms-webui

A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstallbinding functionality in lollmscore/lollms/server/endpoints/lollmsbindinginfos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing...

CVE-2024-3435

CVE-2024-3435 affects parisneo/lollms-webui prior to version 9.5. The flaw is a path traversal vulnerability in the save_settings endpoint, caused by insufficient sanitization of the config parameter in the apply_settings function. Attackers can manipulate the application’s configuration by sendi...

CVE-2024-3435 Path Traversal in parisneo/lollms-webui

A path traversal vulnerability exists in the 'savesettings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'applysettings' function, allowing an...

CVE-2024-3435 Path Traversal in parisneo/lollms-webui

A path traversal vulnerability exists in the 'savesettings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'applysettings' function, allowing an...

CVE-2024-3126 Command Injection in parisneo/lollms-webui

A command injection vulnerability exists in the 'runxttsapiserver' function of the parisneo/lollms-webui application, specifically within the 'lollmsxtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utiliz...

CVE-2024-4326 Remote Code Execution via `/apply_settings` and `/execute_code` in parisneo/lollms-webui

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the /applysettings and /executecode endpoints. Attackers can bypass protections by setting the host to localhost, enabling code...