CVE-2024-10019 — OS Command Injection in Lollms-webui

CWE-78 — OS Command Injection CWE-23 — Relative Path Traversal2 documents2 sources

Severity

6.7MEDIUMNVD

EPSS

0.1%

top 82.21%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Lollms WEB UI

Timeline

PublishedMar 20

Description

A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — latest

▶NVDlollms/lollms_web_ui12

🔴Vulnerability Details

GHSA

GHSA-gc79-m262-q226: A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection↗2025-03-20

▶