VYPR
Unrated severityNVD Advisory· Published Jun 6, 2024· Updated Aug 1, 2024

Improper Neutralization of Special Elements used in an OS Command in parisneo/lollms-webui

CVE-2024-2359

Description

A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the /execute_code endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the /update_setting endpoint, which lacks proper access control, to modify the host configuration at runtime. By changing the host setting to an attacker-controlled value, the restriction on the /execute_code endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (Improper Neutralization of Special Elements used in an OS Command).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Lollms/Lollmsllm-fuzzy2 versions
    = 9.3+ 1 more
    • (no CPE)range: = 9.3
    • (no CPE)range: unspecified

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.