CVE-2024-1522 – Cross-Site Request Forgery (CSRF) Leading to Remote Code Execution in parisneo/lollms-webui

https://notcve.org/view.php?id=CVE-2024-1522

30 Mar 2024 — A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system ... • https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b • CWE-352: Cross-Site Request Forgery (CSRF) •