CVE-2024-10019

A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
@huntr_aiCNA
6.3 MEDIUM
LOCAL
LOW
HIGH
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Common Weakness Enumeration
References
https://huntr.com/bounties/3cf80890-2d8a-4fc7-8e0e-6d4bf648b3ea