CVE-2024-1602 in lollms-webuiinfo

Summary

by MITRE • 04/10/2024

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the `/execute_code` endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the application, including the handling of user input and model output.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/09/2025

The vulnerability identified as CVE-2024-1602 resides within the parisneo/lollms-webui application, representing a critical security flaw that combines stored cross-site scripting with remote code execution capabilities. This vulnerability stems from insufficient input validation and sanitization mechanisms within the application's data processing pipeline, particularly concerning model output handling and user input processing. The flaw allows attackers to inject malicious javascript code that persists within the application's storage mechanisms, making it a stored XSS vulnerability that can affect multiple users who interact with the compromised data.

The technical implementation of this vulnerability involves the application's failure to properly sanitize user-provided data and model-generated outputs before rendering them in web pages. When the application processes and displays content containing malicious javascript payloads, these scripts execute within the context of authenticated users' browsers. This stored XSS condition creates a persistent threat where malicious code remains embedded in the application's database or storage systems, executing whenever affected users view the compromised content. The vulnerability's severity is amplified by the application's architecture, which permits direct execution of code through the `/execute_code` endpoint, providing attackers with a clear path to establish remote access.

The operational impact of CVE-2024-1602 extends beyond typical XSS consequences, as it enables full remote code execution capabilities that can compromise entire application environments. Attackers can leverage the initial XSS payload to send malicious requests to the `/execute_code` endpoint, effectively bypassing traditional security boundaries and establishing persistent reverse shell connections to attacker-controlled infrastructure. This capability allows for complete system compromise, data exfiltration, and potential lateral movement within network environments where the application operates. The vulnerability affects core application components including user input handling, model output processing, and endpoint validation mechanisms, creating multiple attack vectors for threat actors to exploit.

Security mitigations for this vulnerability must address both the immediate XSS exposure and the underlying architectural flaws that enable RCE capabilities. Organizations should implement comprehensive input sanitization and output encoding mechanisms across all user-facing data processing pathways, following established security frameworks such as CWE-79 for cross-site scripting prevention. The application architecture requires immediate remediation of the `/execute_code` endpoint to implement proper authentication, authorization, and input validation controls. Additionally, implementing content security policies, regular security code reviews, and automated vulnerability scanning should be prioritized. According to ATT&CK framework references, this vulnerability maps to T1059.007 for command and scripting interpreter and T1566 for credential access, indicating the need for layered defensive measures including network segmentation, privileged access controls, and continuous monitoring of suspicious API endpoint usage patterns.

Responsible

Huntr.dev

Reservation

02/18/2024

Disclosure

04/10/2024

Moderation

accepted

CPE

ready

EPSS

0.00724

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!