CVE-2024-1602

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui (affected versions not specified)

Description The issue arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the "/execute code" endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the application, including the handling of user input and model output.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the functionality that handles user input and model output to minimize the risk of exploitation. Restrict access to the "/execute code" endpoint to prevent potential attacks. Avoid using the application until a patch is available.