cbcvebase.
CVE-2024-1522
published 2024-03-30

CVE-2024-1522: A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system…

PriorityP348high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
0.45%
35.5th percentile
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application.

Affected

2 ranges
VendorProductVersion rangeFixed in
lollmslollms_web_ui9.0 – 9.2
parisneoparisneo_lollms-webui>= unspecified < 9.29.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.

CVE-2024-1522 — Cross-Site Request Forgery | cvebase