CVE-2024-10019

CVSS v3.1

6.7

Medium

Vector

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version V12 (Strawberry)

Description A vulnerability in the start app server function allows for path traversal and OS command injection. The function does not properly sanitize the app name parameter, enabling an attacker to upload a malicious server.py file and execute arbitrary code by exploiting the path traversal vulnerability.

Recommendations For parisneo/lollms-webui version V12 (Strawberry), as a temporary workaround, consider disabling the start app server function until a patch is available. Restrict access to the app name parameter to minimize the risk of exploitation. Avoid using the app name parameter in the affected function until the issue is resolved.

Exploit

Fix

Relative Path Traversal

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23CWE-78

Related Identifiers

CVE-2024-10019

Affected Products

Parisneo/Lollms-Webui

CVE-2024-10019

Weakness Enumeration

Related Identifiers

Affected Products

References · 6