CVE-2024-10019
Last modified
CVE-2024-10019 is a medium-severity vulnerability rated 6.7/10 on the CVSS scale. A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.. EPSS estimates a 0.80% chance of exploitation in the next 30 days.
Description
A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.
Metrics
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lollms | Lollms Web Ui | 12 |
References
- https://huntr.com/bounties/3cf80890-2d8a-4fc7-8e0e-6d4bf648b3eaExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-10019?
How severe is CVE-2024-10019?
How do I fix CVE-2024-10019?
Are you affected by CVE-2024-10019?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST