CVE-2024-2359

A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the /execute_code endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the /update_setting endpoint, which lacks proper access control, to modify the host configuration at runtime. By changing the host setting to an attacker-controlled value, the restriction on the /execute_code endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (Improper Neutralization of Special Elements used in an OS Command).

Published: Jun 6, 2024
Updated: May 4, 2025
CVE: CVE-2024-2359
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-78

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
lollms / lollms_web_ui	9.3	9.3.x

https://huntr.com/bounties/62144831-8d4b-4cf2-9737-5e559f7bc67e

Vulnerability Database

CVE-2024-2359

Deep Security Visibility Without the Complexity