CVE-2024-4326

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions up to 9.3

Description A vulnerability allows remote attackers to execute arbitrary code due to insufficient protection of the "/apply settings" and "/execute code" endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the "/apply settings" endpoint. Subsequently, arbitrary commands can be executed remotely via the "/execute code" endpoint, exploiting the delay in settings enforcement.

Recommendations For versions up to 9.3, update to version 9.5 to resolve the issue. As a temporary workaround, consider restricting access to the "/apply settings" and "/execute code" endpoints to minimize the risk of exploitation. Additionally, avoid setting the host to localhost and ensure code validation is enabled until the issue is resolved.