CVE-2024-3126 Command Injection in parisneo/lollms-webui

A command injection vulnerability exists in the 'runxttsapiserver' function of the parisneo/lollms-webui application, specifically within the 'lollmsxtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utiliz...

CVE-2024-3126

CVE-2024-3126 concerns the parisneo/lollms-webui project, specifically the bug in the Python file lollms_xtts.py and the function run_xtts_api_server. The issue stems from constructing an OS command with a Python f-string and passing xtts_base_url to subprocess.Popen without adequate input saniti...

CVE-2024-4326 Remote Code Execution via `/apply_settings` and `/execute_code` in parisneo/lollms-webui

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the /applysettings and /executecode endpoints. Attackers can bypass protections by setting the host to localhost, enabling code...

CVE-2024-4326

Parisneo/lollms-webui is affected by a remote code execution vulnerability impacting versions up to 9.3. The flaw arises from insufficient protection of the /apply_settings and /execute_code endpoints, enabling an attacker to bypass protections by setting the host to localhost, disable code valid...

CVE-2024-4322 Path Traversal in parisneo/lollms-webui

A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the /listpersonalities endpoint. By manipulating the category parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version...

CVE-2024-2358 Path Traversal leading to Remote Code Execution in parisneo/lollms-webui

A path traversal vulnerability in the '/applysettings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the 'extensions' parameter...

CVE-2024-2358

The CVE-2024-2358 path-traversal vulnerability affects parisneo/lollms-webui, exposed via the /apply_settings endpoint where unsanitized user input in the extensions parameter enables navigation to arbitrary directories. An attacker could craft a payload with ../../../ sequences to load and execu...

CVE-2024-4322 Path Traversal in parisneo/lollms-webui

A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the /listpersonalities endpoint. By manipulating the category parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version...

CVE-2024-4322

The CVE-2024-4322 issue affects parisneo/lollms-webui, specifically the /list_personalities endpoint. The vulnerability arises from improper handling of user-controlled input in the category parameter, enabling path traversal to list arbitrary directories on the host. Reports across multiple sour...

PT-2024-30383

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version affected versions not specified Description A path traversal issue exists, specifically within the "/list personalities" endpoint, allowing an attacker to traverse the directory structure by manipulating the...

PT-2024-23903 · Parisneo · Lollms-Webui

Name of the Vulnerable Software and Affected Versions: parisneo/lollms-webui versions prior to 9.5 Description: A command injection issue exists due to the improper neutralization of special elements in an OS command within the run xtts api server function of the lollms xtts.py script. This allow...

CVE-2024-2299

CVE-2024-2299 describes a stored XSS in the parisneo/lollms-webui profile picture upload due to improper validation of uploaded files. The vulnerability can be triggered by uploading malicious HTML files containing JavaScript, which executes when accessed. It is remotely exploitable via CSRF, ena...

PT-2024-19635 · Unknown · Lollms-Webui

Name of the Vulnerable Software and Affected Versions: lollms-webui affected versions not specified Description: A stored Cross-Site Scripting XSS issue exists due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this by uploading malicio...

VulnCheck KEV: CVE-2024-0800

A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet...

GLSA-202405-14 : QtWebEngine: Multiple Vulnerabilities

The remote host is affected by the vulnerability described in GLSA-202405-14 QtWebEngine: Multiple Vulnerabilities - Insufficient policy enforcement in iOS Security UI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium...

Meinberg LANTIME Remote Code Execution (CVE-2020-7240)

Meinberg Lantime devices allow attackers with privileges to configure a device to execute arbitrary OS commands by editing the /config/netconf.cmd script aka Extended Network Configuration. Note: According to the description, the vulnerability requires a fully authenticated super-user account usi...

Fedora 40 : chromium (2024-8b50ca2e22)

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-8b50ca2e22 advisory. update to 124.0.6367.60 High CVE-2024-3832: Object corruption in V8 High CVE-2024-3833: Object corruption in WebAssembly High CVE-2024-3914: Use aft...

Fedora 38 : chromium (2024-2c9be9d949)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-2c9be9d949 advisory. update to 124.0.6367.78 Critical CVE-2024-4058: Type Confusion in ANGLE High CVE-2024-4059: Out of bounds read in V8 API High CVE-2024-4060: Use aft...

Updated chromium-browser-stable packages fix security vulnerabilities

The chromium-browser-stable package has been updated to the 124.0.6367.60 release. It includes 23 security fixes. Please, do note, only x8664 is supported from now on. i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromiu...

The vulnerability in the user interface of Microsoft Edge and Google Chrome browsers allows attackers to circumvent existing security restrictions.

The vulnerability of the WebUI user interfaces of Microsoft Edge and Google Chrome is related to deficiencies in access control. Exploiting this vulnerability allows a malicious actor to bypass existing security restrictions remotely...