CRITICAL🇵🇱 Wersja polska

CVE-2024-4320

CVSS 9.8v3.1pub. 2024-06-06upd. 2024-11-21

A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious `name` parameter that causes the server to load and execute a `__init__.py` file from an arbitrary location, such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction, especially when the application is exposed to an external endpoint or operated in headless mode.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method called by the `@router.post("/install_extension")` route handler. An attacker sends a crafted `name` parameter that causes the server to load and execute the `__init__.py` file from any location in the filesystem — for example from the discussion upload directory. This is a Local File Inclusion (LFI) case leading directly to arbitrary code execution.

Impact

An attacker can remotely execute arbitrary code on the server without authentication, leading to complete system compromise, including violation of confidentiality, integrity and availability of data.

Mitigation & patch

Apply patches available from the vendor according to references. As a temporary measure, it is recommended to restrict access to the '/install_extension' endpoint only to trusted networks or users and avoid exposing the application on external network interfaces.

Who is affected

Latest version of parisneo/lollms-webui application — particularly installations accessible from an external network endpoint or running in headless mode

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lollms Web Ui

    APP
    Lollms
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2026-33340CRITICAL9.1PL ✓ten sam produkt

SSRF i brak uwierzytelnienia w lollms-webui — dostęp do wewnętrznych zasobów

CVE-2024-8898CRITICAL9.8PL ✓ten sam produkt

Path traversal w API install/uninstall lollms-webui V12 (Strawberry)

CVE-2024-8581CRITICAL9.1PL ✓ten sam produkt

Path Traversal w lollms-webui umożliwia usunięcie dowolnego pliku

CVE-2024-1873CRITICAL9.1PL ✓ten sam produkt

Path Traversal i DoS w endpoint /select_database aplikacji lollms-webui

CVE-2024-2359CRITICAL9.8PL ✓ten sam produkt

Command Injection w lollms-webui — obejście zabezpieczeń i RCE