Vulnerability Details CVE-2024-1522
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.009
EPSS Ranking 75.3%
CVSS Severity
CVSS v3 Score 8.8
References
- https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b
- https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71
- https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b
- https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71
Products affected by CVE-2024-1522
-
cpe:2.3:a:parisneo:lollms-webui:*