cbcvebase.
CVE-2024-2359
published 2024-06-06

CVE-2024-2359: A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.22%
64.9th percentile
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, which lacks proper access control, to modify the `host` configuration at runtime. By changing the `host` setting to an attacker-controlled value, the restriction on the `/execute_code` endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (`Improper Neutralization of Special Elements used in an OS Command`).

Affected

2 ranges
VendorProductVersion rangeFixed in
lollmslollms_web_ui
parisneoparisneo_lollms-webuiunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

url/execute_code
url/update_setting
  • Monitor for unexpected POST/GET requests to the `/update_setting` endpoint from external/untrusted sources, especially those modifying the `host` parameter — this is the initial step of the exploit chain.
  • Detect runtime changes to the `host` configuration value via the `/update_setting` endpoint, particularly to values not matching expected localhost/internal addresses.
  • ·The vulnerability affects parisneo/lollms-webui version 9.3 specifically; the `/execute_code` endpoint restriction is a runtime configuration that can be altered via `/update_setting` without authentication controls.
  • ·The `/execute_code` endpoint block is enforced based on the `host` configuration value; since `/update_setting` lacks access control, this protection can be defeated at runtime without restarting the application.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.