CVE-2024-1602Cross-site Scripting in Lollms-webui

CWE-79Cross-site ScriptingCWE-89SQL Injection5 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.2%
top 60.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo Lollms-webuiLollms WEB UI
Timeline
PublishedApr 10
Latest updateFeb 10

Description

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the `/execute_code` endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the ap

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollms-webuiunspecifiedlatest

🔴Vulnerability Details

1
GHSA
GHSA-jmw2-399f-6mwg: parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE)2024-04-10

📋Vendor Advisories

1
Ivanti
Ivanti Security Advisory: CVE-2026-16022026-02-10

📄Research Papers

1
arXiv
SoK: Understanding Vulnerabilities in the Large Language Model Supply Chain2025-02-18