CVE-2024-1522

Exploit

EPSS 0.94%
Veröffentlicht 30.03.2024 18:15:45
Zuletzt bearbeitet 15.08.2025 20:33:48
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lollms ≫ Lollms Web Ui Version >= 9.0 <= 9.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.94%	0.756

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b

Patch

https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71

Patch

Third Party Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2024-1522

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1522

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1522

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-1522