CVE-2024-2366
published 2024-05-16CVE-2024-2366: A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in…
PriorityP355critical9CVSS 3.0
AVNACLPRLUIRSCCHIHAH
EPSS
0.66%
47.0th percentile
A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate to arbitrary directories. By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lollms | lollms_web_ui | < 9.5 | 9.5 |
| parisneo | parisneo_lollms-webui | unspecified – latest | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-05-16
Published