AVID-2026-R1431

Description

Improper Neutralization of Special Elements used in an OS Command in parisneo/lollms-webui (CVE-2024-2359)

Details

A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application’s handling of the /execute_code endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the /update_setting endpoint, which lacks proper access control, to modify the host configuration at runtime. By changing the host setting to an attacker-controlled value, the restriction on the /execute_code endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (Improper Neutralization of Special Elements used in an OS Command).

Reason for inclusion in AVID: CVE-2024-2359 describes a remote code execution vulnerability in parisneo/lollms-webui, an AI-related web UI used to run general-purpose AI models. It affects the AI software stack (web endpoints and access control) and enables arbitrary code execution, a security vulnerability. It impacts components used to deploy/run AI systems, i.e., the GP AI supply chain. The report provides CVE details and an exploit scenario, giving sufficient signal.

References

• NVD entry
• https://huntr.com/bounties/62144831-8d4b-4cf2-9737-5e559f7bc67e

Affected or Relevant Artifacts

• Developer: parisneo
• Deployer: parisneo
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-06-06
• Version: 0.3.3
• AVID Entry