← Back to CVE List

CVE-2024-1522

Published: 2024-03-30T18:15Z
Last Modified: 2024-11-21T08:50Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt