CVE-2024-1520 — OS Command Injection in Lollms-webui

CWE-78 — OS Command Injection2 documents2 sources

Severity

9.8CRITICALNVD

EPSS

11.4%

top 6.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Lollms WEB UI

Timeline

PublishedApr 10

Description

An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to unauthorized command execution on the underlying operating system. This could result in unauthorized access, data leakage, or complete system compromise.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — 9.1

▶NVDlollms/lollms_web_ui9.0 — 9.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-8wv4-58g4-2v58: An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation↗2024-04-10

▶