CVE-2024-2366

Published: May 16, 2024

Modified: Aug 1, 2024

PUBLISHED

CVSS v3.0

9.0

CRITICAL

Description

A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate to arbitrary directories. By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server.

Vendor	Product	Versions
parisneo	parisneo/lollms-webui	affected `unspecified - <= latest`

Weaknesses (CWE)

CWE-77

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://huntr.com/bounties/63266c77-408b-45ff-962c-8163db50a864

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-2366

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References