CVE-2024-2359

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version 9.3

Description The issue arises from the application's handling of the "/execute code" endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the "/update setting" endpoint, which lacks proper access control, to modify the host configuration at runtime. By changing the host setting to an attacker-controlled value, the restriction on the "/execute code" endpoint can be bypassed, leading to remote code execution. This is due to improper neutralization of special elements used in an OS command.

Recommendations For parisneo/lollms-webui version 9.3, as a temporary workaround, consider disabling the /execute code endpoint until a patch is available. Restrict access to the /update setting endpoint to minimize the risk of exploitation. Avoid using the host configuration in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.