CVE-2024-4326

Remote Code Execution via `/apply_settings` and `/execute_code` in parisneo/lollms-webui

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the `/apply_settings` endpoint. Subsequently, arbitrary commands can be executed remotely via the `/execute_code` endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.

Una vulnerabilidad en las versiones parisneo/lollms-webui hasta 9.3 permite a atacantes remotos ejecutar código arbitrario. La vulnerabilidad se debe a una protección insuficiente de los endpoints `/apply_settings` y `/execute_code`. Los atacantes pueden eludir las protecciones configurando el host en localhost, habilitando la ejecución de código y deshabilitando la validación de código a través del endpoint `/apply_settings`. Posteriormente, se pueden ejecutar comandos arbitrarios de forma remota a través del endpoint `/execute_code`, aprovechando el retraso en la aplicación de la configuración. Este problema se solucionó en la versión 9.5.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-29 CVE Reserved
2024-05-16 CVE Published
2024-05-17 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-15: External Control of System or Configuration Setting

CAPEC

References (2)

URL	Tag	Source
https://github.com/parisneo/lollms-webui/commit/abb4c6d495a95a3ef5b114ffc57f85cd650b905e
https://huntr.com/bounties/2ab9f03d-0538-4317-be21-0748a079cbdd

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Parisneo Search vendor "Parisneo"		Lollms-webui Search vendor "Parisneo" for product "Lollms-webui"				*		-		Affected