CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-4999 – Ligowave Unity/Pro/Mimo/APC Arbitrary Command Injection
https://notcve.org/view.php?id=CVE-2024-4999
A vulnerability in the web-based management interface of multiple Ligowave devices could allow an authenticated remote attacker to execute arbitrary commands with elevated privileges.This issue affects UNITY: through 6.95-2; PRO: through 6.95-1.Rt3883; MIMO: through 6.95-1.Rt2880; APC Propeller: through 2-5.95-4.Rt3352. • https://onekey.com/blog/security-advisory-remote-code-execution-in-ligowave-devices • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-2366 – Remote Code Execution in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-2366
A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. ... By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server. • https://huntr.com/bounties/63266c77-408b-45ff-962c-8163db50a864 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-4078 – Arbitrary Code Execution in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-4078
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. ... The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed. • https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 1CVE-2024-3435 – Path Traversal in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-3435
This could lead to remote code execution (RCE) by bypassing existing patches designed to mitigate such vulnerabilities. ... Esto podría conducir a la ejecución remota de código (RCE) al pasar por alto los parches existentes manipulados para mitigar dichas vulnerabilidades. • https://github.com/ymuraki-csc/cve-2024-3435 https://github.com/parisneo/lollms-webui/commit/bb99b59e710d00c4f2598faa5e183fa30fbd3bc2 https://huntr.com/bounties/494f349a-8650-4d30-a0bd-4742fda44ce5 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-3126 – Command Injection in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-3126
The affected function utilizes 'subprocess.Popen' to execute a command constructed with a Python f-string, without adequately sanitizing the 'xtts_base_url' input. This flaw allows attackers to execute arbitrary commands remotely by manipulating the 'xtts_base_url' parameter. ... Successful exploitation could lead to arbitrary remote code execution (RCE) on the system where the application is deployed. ... Una explotación exitosa podría conducir a la ejecución remota de código (RCE) arbitraria en el sistema donde se implementa la aplicación. • https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25 https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •