CVE-2024-1522

Published: Mar 30, 2024Modified: Jun 17, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security@huntr.dev (Secondary)

Description

A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application.

Affected (1)

Products: Lollms: Lollms Web Ui

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lollms Lollms Web Ui	From 9.0 to 9.2

Related CWEs

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (4)

https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b

Source: security@huntr.dev

Patch

https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71

Source: security@huntr.dev

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchThird Party Advisory

Timeline

No history available yet.