Home » Database

AVID-2026-R1398

Description

Stored XSS leading to RCE in parisneo/lollms-webui (CVE-2024-1602)

Details

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user’s browser context, enabling the attacker to send a request to the /execute_code endpoint and establish a reverse shell to the attacker’s host. The issue affects various components of the application, including the handling of user input and model output.

Reason for inclusion in AVID: CVE-2024-1602 describes a stored XSS vulnerability in the parisneo/lollms-webui web UI that leads to remote code execution. This is a software vulnerability in a component used to deploy/run AI systems (web UI for LollMS), making it relevant to GP AI stacks. The issue is security-related (RCE via XSS) and the report provides sufficient signal (CVSS details, description, and references).

References

Affected or Relevant Artifacts

  • Developer: parisneo
  • Deployer: parisneo
  • Artifact Details:
TypeName
Systemparisneo/lollms-webui

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score8.8
Base Severity🔴 High
Attack VectorNETWORK
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionREQUIRED
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-79CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2024-04-10
  • Version: 0.3.3
  • AVID Entry