CVE-2024-1520
published 2024-04-10CVE-2024-1520: An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of…
PriorityP180critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
48.21%
98.7th percentile
An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to unauthorized command execution on the underlying operating system. This could result in unauthorized access, data leakage, or complete system compromise.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lollms | lollms_web_ui | >= 9.0 < 9.2 | 9.2 |
| parisneo | parisneo_lollms-webui | >= unspecified < 9.1 | 9.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/parisneo/lollms-webui/commit/2497d1a4fe5a09f003bf7a9bc426139e9295a934https://huntr.com/bounties/405c2059-3fe9-4233-8eed-741ec847d181https://github.com/parisneo/lollms-webui/commit/2497d1a4fe5a09f003bf7a9bc426139e9295a934https://huntr.com/bounties/405c2059-3fe9-4233-8eed-741ec847d181
2024-04-10
Published