CVE-2024-9920

In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/open_file' API endpoint to execute these files. The vulnerability arises from the use of 'subprocess.Popen' to open files without proper validation, leading to potential remote code execution.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/c70c6732-23b3-4ef8-aec6-0a47467d1ed5	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms_web_ui:12:*:*:*:*:*:*:*

History

03 Apr 2025, 18:02

Type	Values Removed	Values Added
Summary		(es) En la versión v12 de parisneo/lollms-webui, la función "Enviar archivo a AL" permite subir archivos con diversas extensiones, incluyendo algunas potencialmente peligrosas como .py, .sh, .bat y otras. Los atacantes pueden explotar esto subiendo archivos con contenido malicioso y utilizando el endpoint de la API "/open_file" para ejecutarlos. La vulnerabilidad surge del uso de "subprocess.Popen" para abrir archivos sin la validación adecuada, lo que puede provocar la ejecución remota de código.
CPE		cpe:2.3:a:lollms:lollms_web_ui:12:::::::*
References	~~() https://huntr.com/bounties/c70c6732-23b3-4ef8-aec6-0a47467d1ed5 -~~	() https://huntr.com/bounties/c70c6732-23b3-4ef8-aec6-0a47467d1ed5 - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~6.6~~	v2 : unknown v3 : 8.8
First Time		Lollms Lollms lollms Web Ui

20 Mar 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-20 10:15

Updated : 2025-04-03 18:02

NVD link : CVE-2024-9920

Mitre link : CVE-2024-9920

CVE.ORG link : CVE-2024-9920

JSON object : View

Products Affected

lollms

lollms_web_ui

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2024-9920", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 6.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.7}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:50.787", "references": [{"url": "https://huntr.com/bounties/c70c6732-23b3-4ef8-aec6-0a47467d1ed5", "tags": ["Exploit", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/open_file' API endpoint to execute these files. The vulnerability arises from the use of 'subprocess.Popen' to open files without proper validation, leading to potential remote code execution."}, {"lang": "es", "value": "En la versi\u00f3n v12 de parisneo/lollms-webui, la funci\u00f3n \"Enviar archivo a AL\" permite subir archivos con diversas extensiones, incluyendo algunas potencialmente peligrosas como .py, .sh, .bat y otras. Los atacantes pueden explotar esto subiendo archivos con contenido malicioso y utilizando el endpoint de la API \"/open_file\" para ejecutarlos. La vulnerabilidad surge del uso de \"subprocess.Popen\" para abrir archivos sin la validaci\u00f3n adecuada, lo que puede provocar la ejecuci\u00f3n remota de c\u00f3digo."}], "lastModified": "2025-04-03T18:02:58.177", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lollms:lollms_web_ui:12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13C2AF1C-0ECA-4677-8686-A1F6F67A5E0B"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}