CVE-2024-2359

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-2359

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-2359.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2024-2359

Published

2024-06-06T19:15:54.353Z

Modified

2025-11-15T15:39:39.169039Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the /execute_code endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the /update_setting endpoint, which lacks proper access control, to modify the host configuration at runtime. By changing the host setting to an attacker-controlled value, the restriction on the /execute_code endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (Improper Neutralization of Special Elements used in an OS Command).

References

https://huntr.com/bounties/62144831-8d4b-4cf2-9737-5e559f7bc67e

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type: GIT
Repo: https://github.com/parisneo/lollms-webui
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

5f93989bdd697654f7d351643e322bc6a6225cb3

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v3.*

v3.0

v3.5

v4.*

v4.0

v5.*

v5.0

v6.*

v6.0

v6.5

v6.5.0

v6.5rc2

v6.7

v7.*

v7.0

v8.*

v8.0

v8.5

v9.*

v9.0

v9.1

v9.2

v9.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-2359.json"