How severe is CVE-2024-4326?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2024-4326?

This is classified as CWE-15, which is a common weakness in software security.

CVE-2024-4326 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the `/apply_settings` endpoint. Subsequently, arbitrary commands can be executed remotely via the `/execute_code` endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.

Related Vulnerabilities

CVE-2023-50252

CRITICAL

CVSS:9.8(Critical)

php-svg-lib is an SVG file parsing / rendering library. Prior to version 0.5.1, when handling `<use>` tag that references an `<image>` tag, it merges the attributes from the `<use>` tag to the `<image...

CWE-152023

CVE-2021-38453

CRITICAL

CVSS:9.1(Critical)

Some API functions allow interaction with the registry, which includes reading values as well as data modification.

CWE-152021

CVE-2024-38666

CRITICAL

CVSS:9.1(Critical)

An external config control vulnerability exists in the openvpn.cgi openvpn_client_setup() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary com...

CWE-152024

CVE-2024-39280

CRITICAL

CVSS:9.1(Critical)

An external config control vulnerability exists in the nas.cgi set_smb_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command executio...

CWE-152024

CVE-2024-39602

CRITICAL

CVSS:9.1(Critical)

An external config control vulnerability exists in the nas.cgi set_nas() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. A...

CWE-152024

CVE-2024-39788

CRITICAL

CVSS:9.1(Critical)

Multiple external config control vulnerabilities exist in the nas.cgi set_ftp_cfg() functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to permission bypass. ...

CWE-152024