Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4320— Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui

EPSS 66.23% · P99
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-4320

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui
Source: NVD (National Vulnerability Database)
Vulnerability Description
A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious `name` parameter that causes the server to load and execute a `__init__.py` file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
路径遍历:’..filename’
Source: NVD (National Vulnerability Database)
Vulnerability Title
LoLLMs 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
LoLLMs是Saifeddine ALOUI个人开发者的一个大型语言多模式系统的 Web UI。 LoLLMs 存在安全漏洞,该漏洞源于 /install_extension 端口的 name 参数存在远程代码执行漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
parisneoparisneo/lollms-webui unspecified ~ latest -

II. Public POCs for CVE-2024-4320

#POC DescriptionSource LinkShenlong Link
1Nonehttps://github.com/bolkv/CVE-2024-4320POC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2024-4320

登录查看更多情报信息。

Same Patch Batch · parisneo · 2024-06-06 · 12 CVEs total

CVE-2024-1873Path Traversal and Denial of Service in parisneo/lollms-webui
CVE-2024-5482SSRF in add_webpage endpoint in parisneo/lollms-webui
CVE-2024-2624Path Traversal and Arbitrary File Upload Vulnerability in parisneo/lollms-webui
CVE-2024-2362Path Traversal in parisneo/lollms-webui
CVE-2024-2360Path Traversal leading to Remote Code Execution in parisneo/lollms-webui
CVE-2024-2359Improper Neutralization of Special Elements used in an OS Command in parisneo/lollms-webui
CVE-2024-2548Path Traversal in parisneo/lollms-webui
CVE-2024-2288CSRF File Upload Vulnerability in parisneo/lollms-webui
CVE-2024-3429Path Traversal in parisneo/lollms
CVE-2024-3322Path Traversal in parisneo/lollms-webui
CVE-2024-4881Path Traversal in parisneo/lollms

IV. Related Vulnerabilities

Same product: parisneo/lollms-webui
Same vendor: parisneo
Same weakness: CWE-29

V. Comments for CVE-2024-4320

No comments yet

Leave a comment