VYPR

Lollms

by Lollms

pypi: lollms

Source repositories

CVEs (75)

  • CVE-2024-2178Jun 2, 2024
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name'…

  • CVE-2024-4330May 30, 2024
    risk 0.00cvss epss 0.00

    A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an…

  • CVE-2024-4267May 22, 2024
    risk 0.00cvss epss 0.01

    A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_file' function. An attacker…

  • CVE-2024-2361May 16, 2024
    risk 0.00cvss epss 0.01

    A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails…

  • CVE-2024-2366May 16, 2024
    risk 0.00cvss epss 0.01

    A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path…

  • CVE-2024-3435May 16, 2024
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings'…

  • CVE-2024-3126May 16, 2024
    risk 0.00cvss epss 0.01

    A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The…

  • CVE-2024-4326May 16, 2024
    risk 0.00cvss epss 0.01

    A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to…

  • CVE-2024-2358May 16, 2024
    risk 0.00cvss epss 0.01

    A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the…

  • CVE-2024-2299May 12, 2024
    risk 0.00cvss epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing…

  • CVE-2024-1569Apr 16, 2024
    risk 0.00cvss epss 0.01

    parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Attackers can exploit the `/open_code_in_vs_code` and similar endpoints without authentication by sending repeated HTTP POST requests, leading to the opening of…

  • CVE-2024-1646Apr 16, 2024
    risk 0.00cvss epss 0.01

    parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface,…

  • CVE-2024-1602Apr 10, 2024
    risk 0.00cvss epss 0.01

    parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code…

  • CVE-2024-1511Apr 10, 2024
    risk 0.00cvss epss 0.01

    The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by…

  • CVE-2024-1522Mar 30, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an…

Page 4 of 4