Lollms Web Ui
CVE-2024-1522
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from Vendor (huntr) · only source for this CVE.
CVSS VectorVendor: huntr
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the /execute_code API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application.
AnalysisAI
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the /execute_code API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application. Affected products include: Lollms Lollms Web Ui.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
More in Lollms Web Ui
View allA path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V1
A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui app
A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui,
A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically w
parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and exe
A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui app
A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. Rated cri
A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute ar
An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui applicatio
The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of us
A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today