CVE-2024-1602

Exploit

EPSS 0.18%
Veröffentlicht 10.04.2024 17:15:52
Zuletzt bearbeitet 09.07.2025 14:14:04
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the `/execute_code` endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the application, including the handling of user input and model output.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lollms ≫ Lollms Web Ui Version9.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.18%	0.401

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security@huntr.dev	8.8	2.8	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://huntr.com/bounties/59be0d5a-f18e-4418-8f29-72320269a097

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-1602

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-1602

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-1602

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-1602