CVE-2024-1520

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-1520

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1520.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-1520

Published

2024-04-10T17:08:02.265Z

Modified

2026-05-28T03:54:53.416562382Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OS Command Injection in parisneo/lollms-webui

Details

An OS Command Injection vulnerability exists in the '/opencodefolder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to unauthorized command execution on the underlying operating system. This could result in unauthorized access, data leakage, or complete system compromise.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/1xxx/CVE-2024-1520.json",
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "@huntr_ai"
}

References

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type: GIT
Repo: https://github.com/parisneo/lollms-webui
Events: Introduced

80d72ca433cf0cb8318e0d08fa774b608aa29f05

Fixed

f87df9e0754ad9b497a630740338f8f2c98cb0a1

Affected versions

v9.*

v9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-1520.json"