CVE-2024-6982

Name of the Vulnerable Software and Affected Versions parisneo/lollms version 9.8

Description A remote code execution issue exists in the Calculate function due to the use of Python's eval() function to evaluate mathematical expressions within a Python sandbox. This sandbox, which disables builtins and only allows functions from the math module, can be bypassed by loading the os module using the frozen importlib.BuiltinImporter class. This allows an attacker to execute arbitrary commands on the server.

Recommendations For parisneo/lollms version 9.8, update to version 9.10 to resolve the issue. As a temporary workaround, consider disabling the Calculate function until a patch is available. Restrict access to the os module to minimize the risk of exploitation. Avoid using the eval() function in the Calculate function until the issue is resolved.