{"id":"CVE-2024-2359","details":"A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, which lacks proper access control, to modify the `host` configuration at runtime. By changing the `host` setting to an attacker-controlled value, the restriction on the `/execute_code` endpoint can be bypassed, leading to remote code execution. This vulnerability is due to improper neutralization of special elements used in an OS command (`Improper Neutralization of Special Elements used in an OS Command`).","modified":"2026-04-10T05:09:34.474454Z","published":"2024-06-06T19:15:54.353Z","references":[{"type":"EVIDENCE","url":"https://huntr.com/bounties/62144831-8d4b-4cf2-9737-5e559f7bc67e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/parisneo/lollms-webui","events":[{"introduced":"0"},{"last_affected":"5f93989bdd697654f7d351643e322bc6a6225cb3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.3"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v3.0","v3.5","v4.0","v5.0","v6.0","v6.5","v6.5.0","v6.5rc2","v6.7","v7.0","v8.5","v9.0","v9.1","v9.2","v9.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2359.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}