CVE-2024-1522 — Cross-Site Request Forgery in Lollms-webui

CWE-352 — Cross-Site Request Forgery2 documents2 sources

Severity

8.8HIGHNVD

EPSS

0.9%

top 23.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Lollms WEB UI

Timeline

PublishedMar 30

Description

A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the vict…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — 9.2

▶NVDlollms/lollms_web_ui9.0 — 9.2

Patches

Patch: github.com ↗Patch: huntr.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4qp4-9mwx-276r: I have activated the CORS because I had a development ui that uses another port number then I forgot to remove it↗2024-03-30

▶