cvelistv5 - cve-2024-1522

cve-2024-1522

Vulnerability from cvelistv5

Published

2024-03-30 18:02

Modified

2024-08-01 18:40

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

Cross-Site Request Forgery (CSRF) Leading to Remote Code Execution in parisneo/lollms-webui

References

▼	URL	Tags
	security@huntr.dev	https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b
	security@huntr.dev	https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71

Impacted products

▼	Vendor	Product
	parisneo	parisneo/lollms-webui

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:parisneo:lollms-webui:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "lollms-webui",
            "vendor": "parisneo",
            "versions": [
              {
                "lessThan": "9,.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-1522",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-01T20:33:48.431201Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-01T20:34:39.415Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T18:40:21.324Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "parisneo/lollms-webui",
          "vendor": "parisneo",
          "versions": [
            {
              "lessThan": "9.2",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim\u0027s system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim\u0027s local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim\u0027s system without requiring direct network access to the vulnerable application."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-16T11:10:26.224Z",
        "orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
        "shortName": "@huntr_ai"
      },
      "references": [
        {
          "url": "https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71"
        },
        {
          "url": "https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b"
        }
      ],
      "source": {
        "advisory": "687cef92-3432-4d6c-af92-868eccabbb71",
        "discovery": "EXTERNAL"
      },
      "title": "Cross-Site Request Forgery (CSRF) Leading to Remote Code Execution in parisneo/lollms-webui"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
    "assignerShortName": "@huntr_ai",
    "cveId": "CVE-2024-1522",
    "datePublished": "2024-03-30T18:02:59.260Z",
    "dateReserved": "2024-02-14T23:31:53.478Z",
    "dateUpdated": "2024-08-01T18:40:21.324Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-1522\",\"sourceIdentifier\":\"security@huntr.dev\",\"published\":\"2024-03-30T18:15:45.930\",\"lastModified\":\"2024-04-16T12:15:09.357\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim\u0027s system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim\u0027s local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim\u0027s system without requiring direct network access to the vulnerable application.\"},{\"lang\":\"es\",\"value\":\"Activ\u00e9 CORS porque ten\u00eda una interfaz de usuario de desarrollo que usa otro n\u00famero de puerto y luego olvid\u00e9 eliminarla. Entonces, lo que acabo de hacer es: - Primero elimin\u00e9 la configuraci\u00f3n de cors que permite a todos acceder a ella: antes: ```python sio = socketio.AsyncServer(async_mode=\\\"asgi\\\", cors_allowed_origins=\\\"*\\\", ping_timeout=1200, ping_interval= 30) # Habilite CORS para cada ``` despu\u00e9s de: ```python cert_file_path = lollms_paths.personal_certificates/\\\"cert.pem\\\" key_file_path = lollms_paths.personal_certificates/\\\"key.pem\\\" si os.path.exists(cert_file_path) y os .path.exists(key_file_path): is_https = True else: is_https = False # Crear un servidor Socket.IO sio = socketio.AsyncServer(async_mode=\\\"asgi\\\", cors_allowed_origins=config.allowed_origins+[f\\\"https://localhost:{ config[\u0027port\u0027]}\\\" if is_https else f\\\"http://localhost:{config[\u0027port\u0027]}\\\"], ping_timeout=1200, ping_interval=30) # Habilitar CORS para or\u00edgenes seleccionados ``` - Segundo, He actualizado lollms para que tenga dos modos (un modo sin cabeza y un modo ui). Y actualiz\u00f3 /execute_code para bloquear si el servidor no tiene cabeza o est\u00e1 expuesto ```python @router.post(\\\"/execute_code\\\") async def ejecutar_code(request: Request): \\\"\\\"\\\" Ejecuta el c\u00f3digo Python y devuelve la salida. : solicitud de par\u00e1metro: el objeto de solicitud HTTP. :return: una respuesta JSON con el estado de la operaci\u00f3n. \\\"\\\"\\\" if lollmsElfServer.config.headless_server_mode: return {\\\"status\\\":False,\\\"error\\\":\\\"La ejecuci\u00f3n del c\u00f3digo est\u00e1 bloqueada cuando est\u00e1 en \u00a1modo sin cabeza por razones obvias de seguridad!\\\"} if lollmsElfServer.config.host==\\\"0.0.0.0\\\": return {\\\"status\\\":False,\\\"error\\\":\\\"La ejecuci\u00f3n del c\u00f3digo se bloquea cuando el servidor est\u00e1 expuesto al exterior por razones muy obvias !\\\"} intente: datos = (espera solicitud.json()) c\u00f3digo = datos[\\\"c\u00f3digo\\\"] id_discusi\u00f3n = int(data.get(\\\"id_discusi\u00f3n\\\",\\\"discusi\u00f3n_desconocida\\\")) id_mensaje = int(data.get(\\\"id_mensaje) \\\",\\\"unknown_message\\\")) language = data.get(\\\"language\\\",\\\"python\\\") if language==\\\"python\\\": ASCIIColors.info(\\\"Ejecutando c\u00f3digo python:\\\") ASCIIColors.amarillo(c\u00f3digo) return ejecutar_python(c\u00f3digo) , id_discusi\u00f3n, id_mensaje) if idioma==\\\"javascript\\\": ASCIIColors.info(\\\"Ejecutando c\u00f3digo javascript:\\\") ASCIIColors.amarillo(c\u00f3digo) devuelve ejecutar_javascript(c\u00f3digo, id_discusi\u00f3n, id_mensaje) si el idioma est\u00e1 en [\\\"html\\\",\\\"html5\\\" ,\\\"svg\\\"]: ASCIIColors.info(\\\"Ejecutando c\u00f3digo javascript:\\\") ASCIIColors.amarillo(c\u00f3digo) return ejecutar_html(c\u00f3digo, id_discusi\u00f3n, id_mensaje) elif language==\\\"latex\\\": ASCIIColors.info(\\\"Ejecutando c\u00f3digo latex:\\\" ) ASCIIColors.amarillo(c\u00f3digo) devuelve ejecutar_latex(c\u00f3digo, id_discusi\u00f3n, id_mensaje) lenguaje elif en [\\\"bash\\\",\\\"shell\\\",\\\"cmd\\\",\\\"powershell\\\"]: ASCIIColors.info(\\\"Ejecutando c\u00f3digo de shell:\\\") ASCIIColors. amarillo(c\u00f3digo) devuelve ejecutar_bash(c\u00f3digo, id_discusi\u00f3n, id_mensaje) idioma elif en [\\\"sirena\\\"]: ASCIIColors.info(\\\"Ejecutando c\u00f3digo de sirena:\\\") ASCIIColors.amarillo(c\u00f3digo) devuelve ejecutar_mermaid(c\u00f3digo, id_discusi\u00f3n, id_mensaje) idioma elif en [\\\"graphviz\\\",\\\"punto\\\"]: ASCIIColors.info(\\\"Ejecutando c\u00f3digo Graphviz:\\\") ASCIIColors.amarillo(c\u00f3digo) return ejecutar_graphviz(c\u00f3digo, id_discusi\u00f3n, id_mensaje) return {\\\"status\\\": False, \\\"error\\\": \\\" Idioma no admitido\\\", \\\"execution_time\\\": 0} excepto excepci\u00f3n como por ejemplo: trace_exception(ex) lollmsElfServer.error(ex) return {\\\"status\\\":False,\\\"error\\\":str(ex)} ``` Tambi\u00e9n agregu\u00e9 un opcional modo https y esperamos agregar una autenticaci\u00f3n completa con cookies y una sesi\u00f3n personal, etc. Todas las actualizaciones estar\u00e1n en la versi\u00f3n 9.1 nuevamente, muchas gracias por su trabajo. Lo har\u00e9 m\u00e1s dif\u00edcil la pr\u00f3xima vez, pero si encuentras m\u00e1s errores, s\u00e9 mi invitado :)\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@huntr.dev\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"references\":[{\"url\":\"https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b\",\"source\":\"security@huntr.dev\"},{\"url\":\"https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71\",\"source\":\"security@huntr.dev\"}]}}"
  }
}

ghsa-4qp4-9mwx-276r

Vulnerability from github

Published

2024-03-30 18:30

Modified

2024-03-30 18:30

Severity ?

8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

I have activated the CORS because I had a development ui that uses another port number then I forgot to remove it.

So what I just did is : - First removed the cors configuration that allows everyone to access it : before: python sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins="*", ping_timeout=1200, ping_interval=30) # Enable CORS for every one after: ```python cert_file_path = lollms_paths.personal_certificates/"cert.pem" key_file_path = lollms_paths.personal_certificates/"key.pem" if os.path.exists(cert_file_path) and os.path.exists(key_file_path): is_https = True else: is_https = False

# Create a Socket.IO server
sio = socketio.AsyncServer(async_mode="asgi", cors_allowed_origins=config.allowed_origins+[f"https://localhost:{config['port']}" if is_https else f"http://localhost:{config['port']}"], ping_timeout=1200, ping_interval=30)  # Enable CORS for selected origins

```

Second, I have updated lollms to have two modes (a headless mode and a ui mode). And updated the /execute_code to block if the server is headless or is exposed ```python @router.post("/execute_code") async def execute_code(request: Request): """ Executes Python code and returns the output.

:param request: The HTTP request object. :return: A JSON response with the status of the operation. """ if lollmsElfServer.config.headless_server_mode: return {"status":False,"error":"Code execution is blocked when in headless mode for obvious security reasons!"}

if lollmsElfServer.config.host=="0.0.0.0": return {"status":False,"error":"Code execution is blocked when the server is exposed outside for very obvipous reasons!"}

try: data = (await request.json()) code = data["code"] discussion_id = int(data.get("discussion_id","unknown_discussion")) message_id = int(data.get("message_id","unknown_message")) language = data.get("language","python")

if language=="python":
    ASCIIColors.info("Executing python code:")
    ASCIIColors.yellow(code)
    return execute_python(code, discussion_id, message_id)
if language=="javascript":
    ASCIIColors.info("Executing javascript code:")
    ASCIIColors.yellow(code)
    return execute_javascript(code, discussion_id, message_id)
if language in ["html","html5","svg"]:
    ASCIIColors.info("Executing javascript code:")
    ASCIIColors.yellow(code)
    return execute_html(code, discussion_id, message_id)

elif language=="latex":
    ASCIIColors.info("Executing latex code:")
    ASCIIColors.yellow(code)
    return execute_latex(code, discussion_id, message_id)
elif language in ["bash","shell","cmd","powershell"]:
    ASCIIColors.info("Executing shell code:")
    ASCIIColors.yellow(code)
    return execute_bash(code, discussion_id, message_id)
elif language in ["mermaid"]:
    ASCIIColors.info("Executing mermaid code:")
    ASCIIColors.yellow(code)
    return execute_mermaid(code, discussion_id, message_id)
elif language in ["graphviz","dot"]:
    ASCIIColors.info("Executing graphviz code:")
    ASCIIColors.yellow(code)
    return execute_graphviz(code, discussion_id, message_id)
return {"status": False, "error": "Unsupported language", "execution_time": 0}

except Exception as ex: trace_exception(ex) lollmsElfServer.error(ex) return {"status":False,"error":str(ex)} ```

I also added an optional https mode and looking forward to add a full authentication with cookies and a personal session etc.

All updates will be in V 9.1

Again, thanks alot for your work. I will make it harder next time, but if you find more bugs, just be my guest :)

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-1522"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-30T18:15:45Z",
    "severity": "HIGH"
  },
  "details": "I have activated the CORS because I had a development ui that uses another port number then I forgot to remove it.\n\nSo what I just did is :\n- First removed the cors configuration that allows everyone to access it :\nbefore:\n```python\n    sio = socketio.AsyncServer(async_mode=\"asgi\", cors_allowed_origins=\"*\", ping_timeout=1200, ping_interval=30)  # Enable CORS for every one\n```\nafter:\n```python\n    cert_file_path = lollms_paths.personal_certificates/\"cert.pem\"\n    key_file_path = lollms_paths.personal_certificates/\"key.pem\"\n    if os.path.exists(cert_file_path) and os.path.exists(key_file_path):\n        is_https = True\n    else:\n        is_https = False        \n\n    # Create a Socket.IO server\n    sio = socketio.AsyncServer(async_mode=\"asgi\", cors_allowed_origins=config.allowed_origins+[f\"https://localhost:{config[\u0027port\u0027]}\" if is_https else f\"http://localhost:{config[\u0027port\u0027]}\"], ping_timeout=1200, ping_interval=30)  # Enable CORS for selected origins\n```\n\n- Second, I have updated lollms to have two modes (a headless mode and a ui mode).\nAnd updated the /execute_code to block if the server is headless or is exposed\n```python\n@router.post(\"/execute_code\")\nasync def execute_code(request: Request):\n    \"\"\"\n    Executes Python code and returns the output.\n\n    :param request: The HTTP request object.\n    :return: A JSON response with the status of the operation.\n    \"\"\"\n    if lollmsElfServer.config.headless_server_mode:\n        return {\"status\":False,\"error\":\"Code execution is blocked when in headless mode for obvious security reasons!\"}\n\n    if lollmsElfServer.config.host==\"0.0.0.0\":\n        return {\"status\":False,\"error\":\"Code execution is blocked when the server is exposed outside for very obvipous reasons!\"}\n\n    try:\n        data = (await request.json())\n        code = data[\"code\"]\n        discussion_id = int(data.get(\"discussion_id\",\"unknown_discussion\"))\n        message_id = int(data.get(\"message_id\",\"unknown_message\"))\n        language = data.get(\"language\",\"python\")\n        \n\n\n        if language==\"python\":\n            ASCIIColors.info(\"Executing python code:\")\n            ASCIIColors.yellow(code)\n            return execute_python(code, discussion_id, message_id)\n        if language==\"javascript\":\n            ASCIIColors.info(\"Executing javascript code:\")\n            ASCIIColors.yellow(code)\n            return execute_javascript(code, discussion_id, message_id)\n        if language in [\"html\",\"html5\",\"svg\"]:\n            ASCIIColors.info(\"Executing javascript code:\")\n            ASCIIColors.yellow(code)\n            return execute_html(code, discussion_id, message_id)\n        \n        elif language==\"latex\":\n            ASCIIColors.info(\"Executing latex code:\")\n            ASCIIColors.yellow(code)\n            return execute_latex(code, discussion_id, message_id)\n        elif language in [\"bash\",\"shell\",\"cmd\",\"powershell\"]:\n            ASCIIColors.info(\"Executing shell code:\")\n            ASCIIColors.yellow(code)\n            return execute_bash(code, discussion_id, message_id)\n        elif language in [\"mermaid\"]:\n            ASCIIColors.info(\"Executing mermaid code:\")\n            ASCIIColors.yellow(code)\n            return execute_mermaid(code, discussion_id, message_id)\n        elif language in [\"graphviz\",\"dot\"]:\n            ASCIIColors.info(\"Executing graphviz code:\")\n            ASCIIColors.yellow(code)\n            return execute_graphviz(code, discussion_id, message_id)\n        return {\"status\": False, \"error\": \"Unsupported language\", \"execution_time\": 0}\n    except Exception as ex:\n        trace_exception(ex)\n        lollmsElfServer.error(ex)\n        return {\"status\":False,\"error\":str(ex)}\n```\n\nI also added an optional https mode and looking forward to add a full authentication with cookies and a personal session etc.\n\n\nAll updates will be in V 9.1 \n\n\nAgain, thanks alot for your work. I will make it harder next time, but if you find more bugs, just be my guest :)",
  "id": "GHSA-4qp4-9mwx-276r",
  "modified": "2024-03-30T18:30:54Z",
  "published": "2024-03-30T18:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1522"
    },
    {
      "type": "WEB",
      "url": "https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

gsd-2024-1522

Vulnerability from gsd

Modified

2024-02-15 06:02

Details

The parisneo/lollms-webui does not have CSRF protections. As a result, an attacker is able to execute arbitrary OS commands via the `/execute_code` API endpoint by tricking a user into visiting a specially crafted webpage.

Aliases

CVE-2024-1522

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-1522"
      ],
      "details": "The parisneo/lollms-webui does not have CSRF protections. As a result, an attacker is able to execute arbitrary OS commands via the `/execute_code` API endpoint by tricking a user into visiting a specially crafted webpage.",
      "id": "GSD-2024-1522",
      "modified": "2024-02-15T06:02:24.009806Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@huntr.com",
        "ID": "CVE-2024-1522",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "parisneo/lollms-webui",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "unspecified",
                          "version_value": "9.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "parisneo"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim\u0027s system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim\u0027s local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim\u0027s system without requiring direct network access to the vulnerable application."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-352",
                "lang": "eng",
                "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71",
            "refsource": "MISC",
            "url": "https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71"
          },
          {
            "name": "https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b",
            "refsource": "MISC",
            "url": "https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b"
          }
        ]
      },
      "source": {
        "advisory": "687cef92-3432-4d6c-af92-868eccabbb71",
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "descriptions": [
          {
            "lang": "en",
            "value": "A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim\u0027s system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim\u0027s local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim\u0027s system without requiring direct network access to the vulnerable application."
          },
          {
            "lang": "es",
            "value": "Activ\u00e9 CORS porque ten\u00eda una interfaz de usuario de desarrollo que usa otro n\u00famero de puerto y luego olvid\u00e9 eliminarla. Entonces, lo que acabo de hacer es: - Primero elimin\u00e9 la configuraci\u00f3n de cors que permite a todos acceder a ella: antes: ```python sio = socketio.AsyncServer(async_mode=\"asgi\", cors_allowed_origins=\"*\", ping_timeout=1200, ping_interval= 30) # Habilite CORS para cada ``` despu\u00e9s de: ```python cert_file_path = lollms_paths.personal_certificates/\"cert.pem\" key_file_path = lollms_paths.personal_certificates/\"key.pem\" si os.path.exists(cert_file_path) y os .path.exists(key_file_path): is_https = True else: is_https = False # Crear un servidor Socket.IO sio = socketio.AsyncServer(async_mode=\"asgi\", cors_allowed_origins=config.allowed_origins+[f\"https://localhost:{ config[\u0027port\u0027]}\" if is_https else f\"http://localhost:{config[\u0027port\u0027]}\"], ping_timeout=1200, ping_interval=30) # Habilitar CORS para or\u00edgenes seleccionados ``` - Segundo, He actualizado lollms para que tenga dos modos (un modo sin cabeza y un modo ui). Y actualiz\u00f3 /execute_code para bloquear si el servidor no tiene cabeza o est\u00e1 expuesto ```python @router.post(\"/execute_code\") async def ejecutar_code(request: Request): \"\"\" Ejecuta el c\u00f3digo Python y devuelve la salida. : solicitud de par\u00e1metro: el objeto de solicitud HTTP. :return: una respuesta JSON con el estado de la operaci\u00f3n. \"\"\" if lollmsElfServer.config.headless_server_mode: return {\"status\":False,\"error\":\"La ejecuci\u00f3n del c\u00f3digo est\u00e1 bloqueada cuando est\u00e1 en \u00a1modo sin cabeza por razones obvias de seguridad!\"} if lollmsElfServer.config.host==\"0.0.0.0\": return {\"status\":False,\"error\":\"La ejecuci\u00f3n del c\u00f3digo se bloquea cuando el servidor est\u00e1 expuesto al exterior por razones muy obvias !\"} intente: datos = (espera solicitud.json()) c\u00f3digo = datos[\"c\u00f3digo\"] id_discusi\u00f3n = int(data.get(\"id_discusi\u00f3n\",\"discusi\u00f3n_desconocida\")) id_mensaje = int(data.get(\"id_mensaje) \",\"unknown_message\")) language = data.get(\"language\",\"python\") if language==\"python\": ASCIIColors.info(\"Ejecutando c\u00f3digo python:\") ASCIIColors.amarillo(c\u00f3digo) return ejecutar_python(c\u00f3digo) , id_discusi\u00f3n, id_mensaje) if idioma==\"javascript\": ASCIIColors.info(\"Ejecutando c\u00f3digo javascript:\") ASCIIColors.amarillo(c\u00f3digo) devuelve ejecutar_javascript(c\u00f3digo, id_discusi\u00f3n, id_mensaje) si el idioma est\u00e1 en [\"html\",\"html5\" ,\"svg\"]: ASCIIColors.info(\"Ejecutando c\u00f3digo javascript:\") ASCIIColors.amarillo(c\u00f3digo) return ejecutar_html(c\u00f3digo, id_discusi\u00f3n, id_mensaje) elif language==\"latex\": ASCIIColors.info(\"Ejecutando c\u00f3digo latex:\" ) ASCIIColors.amarillo(c\u00f3digo) devuelve ejecutar_latex(c\u00f3digo, id_discusi\u00f3n, id_mensaje) lenguaje elif en [\"bash\",\"shell\",\"cmd\",\"powershell\"]: ASCIIColors.info(\"Ejecutando c\u00f3digo de shell:\") ASCIIColors. amarillo(c\u00f3digo) devuelve ejecutar_bash(c\u00f3digo, id_discusi\u00f3n, id_mensaje) idioma elif en [\"sirena\"]: ASCIIColors.info(\"Ejecutando c\u00f3digo de sirena:\") ASCIIColors.amarillo(c\u00f3digo) devuelve ejecutar_mermaid(c\u00f3digo, id_discusi\u00f3n, id_mensaje) idioma elif en [\"graphviz\",\"punto\"]: ASCIIColors.info(\"Ejecutando c\u00f3digo Graphviz:\") ASCIIColors.amarillo(c\u00f3digo) return ejecutar_graphviz(c\u00f3digo, id_discusi\u00f3n, id_mensaje) return {\"status\": False, \"error\": \" Idioma no admitido\", \"execution_time\": 0} excepto excepci\u00f3n como por ejemplo: trace_exception(ex) lollmsElfServer.error(ex) return {\"status\":False,\"error\":str(ex)} ``` Tambi\u00e9n agregu\u00e9 un opcional modo https y esperamos agregar una autenticaci\u00f3n completa con cookies y una sesi\u00f3n personal, etc. Todas las actualizaciones estar\u00e1n en la versi\u00f3n 9.1 nuevamente, muchas gracias por su trabajo. Lo har\u00e9 m\u00e1s dif\u00edcil la pr\u00f3xima vez, pero si encuentras m\u00e1s errores, s\u00e9 mi invitado :)"
          }
        ],
        "id": "CVE-2024-1522",
        "lastModified": "2024-04-16T12:15:09.357",
        "metrics": {
          "cvssMetricV30": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "exploitabilityScore": 2.8,
              "impactScore": 5.9,
              "source": "security@huntr.dev",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-03-30T18:15:45.930",
        "references": [
          {
            "source": "security@huntr.dev",
            "url": "https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b"
          },
          {
            "source": "security@huntr.dev",
            "url": "https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71"
          }
        ],
        "sourceIdentifier": "security@huntr.dev",
        "vulnStatus": "Awaiting Analysis",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-352"
              }
            ],
            "source": "security@huntr.dev",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2024-1522

Vulnerability from cvelistv5

ghsa-4qp4-9mwx-276r

Vulnerability from github

gsd-2024-1522

Vulnerability from gsd

Tags

Sightings

Nomenclature