CVE-2024-1602

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-1602

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1602.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-1602

Published

2024-04-10T17:15:52.537Z

Modified

2026-04-10T05:07:48.849676Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the /execute_code endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the application, including the handling of user input and model output.

References

https://huntr.com/bounties/59be0d5a-f18e-4418-8f29-72320269a097

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type

GIT

Repo

https://github.com/parisneo/lollms-webui

Events

Introduced

Last affected

80d72ca433cf0cb8318e0d08fa774b608aa29f05

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v3.*

v3.0

v3.5

v4.*

v4.0

v5.*

v5.0

v6.*

v6.0

v6.5

v6.5.0

v6.5rc2

v6.7

v7.*

v7.0

v8.*

v8.5

v9.*

v9.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1602.json"