Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Improper Neutralization of Special Elements used in an OS Command in parisneo/lollms-webui
Vulnerability Description
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, which lacks proper access control, to modify the `host` configuration at runtime. By changing the `host` setting to an attacker-controlled value, the restriction on the `/execute_code` endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (`Improper Neutralization of Special Elements used in an OS Command`).
CVSS Information
N/A
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Vulnerability Title
LoLLMs 操作系统命令注入漏洞
Vulnerability Description
LoLLMs是Saifeddine ALOUI个人开发者的一个大型语言多模式系统的 Web UI。 LoLLMs 9.3版本存在操作系统命令注入漏洞,该漏洞源于对操作系统命令中使用的特殊元素的中和不当,从而导致攻击者可绕过预期的访问限制并执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A