CVE-2024-4078
published 2024-05-16CVE-2024-4078: A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization…
PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.92%
55.7th percentile
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lollms | lollms | >= 0 < 9.5.0 | 9.5.0 |
| parisneo | parisneo_lollms | >= unspecified < main | main |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
LoLLMS Command Injection vulnerability
osv·2024-05-16
CVE-2024-4078 [HIGH] LoLLMS Command Injection vulnerability
LoLLMS Command Injection vulnerability
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.
GHSA
LoLLMS Command Injection vulnerability
ghsa·2024-05-16
CVE-2024-4078 [HIGH] CWE-77 LoLLMS Command Injection vulnerability
LoLLMS Command Injection vulnerability
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-05-16
Published