CVE-2024-3126 - Vulnerability Details - OpenCVE

A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utilizes 'subprocess.Popen' to execute a command constructed with a Python f-string, without adequately sanitizing the 'xtts_base_url' input. This flaw allows attackers to execute arbitrary commands remotely by manipulating the 'xtts_base_url' parameter. The vulnerability affects versions up to and including the latest version before 9.5. Successful exploitation could lead to arbitrary remote code execution (RCE) on the system where the application is deployed.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lollms	Lollms Web Ui

Configuration 1 [-]

cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25
https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12

History

Wed, 09 Jul 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lollms Lollms lollms Web Ui
CPEs		cpe:2.3:a:lollms:lollms_web_ui::::::::
Vendors & Products		Lollms Lollms lollms Web Ui

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-05-16T09:03:47.640Z

Updated: 2024-08-01T19:32:42.607Z

Reserved: 2024-04-01T08:27:17.093Z

Link: CVE-2024-3126

Vulnrichment

Updated: 2024-08-01T19:32:42.607Z

NVD

Status : Analyzed

Published: 2024-05-16T09:15:13.840

Modified: 2025-07-09T14:36:46.093

Link: CVE-2024-3126

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3126", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-04-01T08:27:17.093Z", "datePublished": "2024-05-16T09:03:47.640Z", "dateUpdated": "2024-08-01T19:32:42.607Z"}, "containers": {"cna": {"title": "Command Injection in parisneo/lollms-webui", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-05-16T09:03:47.640Z"}, "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utilizes 'subprocess.Popen' to execute a command constructed with a Python f-string, without adequately sanitizing the 'xtts_base_url' input. This flaw allows attackers to execute arbitrary commands remotely by manipulating the 'xtts_base_url' parameter. The vulnerability affects versions up to and including the latest version before 9.5. Successful exploitation could lead to arbitrary remote code execution (RCE) on the system where the application is deployed."}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms-webui", "versions": [{"version": "unspecified", "lessThan": "9.5", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12"}, {"url": "https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command", "cweId": "CWE-78"}]}], "source": {"advisory": "0e2bec70-826e-4c24-8015-31921e23fd12", "discovery": "EXTERNAL"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T18:24:20.741219Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:32:18.315Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.607Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12", "tags": ["x_transferred"]}, {"url": "https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12", "tags": ["x_transferred"]}, {"url": "https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T19:32:42.607Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-16T18:24:20.741219Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-03T14:24:52.209Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Command Injection in parisneo/lollms-webui", "source": {"advisory": "0e2bec70-826e-4c24-8015-31921e23fd12", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms-webui", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "9.5", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12"}, {"url": "https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25"}], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utilizes 'subprocess.Popen' to execute a command constructed with a Python f-string, without adequately sanitizing the 'xtts_base_url' input. This flaw allows attackers to execute arbitrary commands remotely by manipulating the 'xtts_base_url' parameter. The vulnerability affects versions up to and including the latest version before 9.5. Successful exploitation could lead to arbitrary remote code execution (RCE) on the system where the application is deployed."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-05-16T09:03:47.640Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3126", "state": "PUBLISHED", "dateUpdated": "2024-08-01T19:32:42.607Z", "dateReserved": "2024-04-01T08:27:17.093Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-05-16T09:03:47.640Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*", "matchCriteriaId": "E7DA38B5-6496-47C5-88AF-17C4AF269B59", "versionEndExcluding": "9.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utilizes 'subprocess.Popen' to execute a command constructed with a Python f-string, without adequately sanitizing the 'xtts_base_url' input. This flaw allows attackers to execute arbitrary commands remotely by manipulating the 'xtts_base_url' parameter. The vulnerability affects versions up to and including the latest version before 9.5. Successful exploitation could lead to arbitrary remote code execution (RCE) on the system where the application is deployed."}, {"lang": "es", "value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos en la funci\u00f3n 'run_xtts_api_server' de la aplicaci\u00f3n parisneo/lollms-webui, espec\u00edficamente dentro del script 'lollms_xtts.py'. La vulnerabilidad surge debido a la neutralizaci\u00f3n inadecuada de elementos especiales utilizados en un comando del sistema operativo. La funci\u00f3n afectada utiliza 'subprocess.Popen' para ejecutar un comando construido con una cadena f de Python, sin desinfectar adecuadamente la entrada 'xtts_base_url'. Esta falla permite a los atacantes ejecutar comandos arbitrarios de forma remota manipulando el par\u00e1metro 'xtts_base_url'. La vulnerabilidad afecta a versiones hasta la \u00faltima versi\u00f3n anterior a la 9.5 incluida. Una explotaci\u00f3n exitosa podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo (RCE) arbitraria en el sistema donde se implementa la aplicaci\u00f3n."}], "id": "CVE-2024-3126", "lastModified": "2025-07-09T14:36:46.093", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2024-05-16T09:15:13.840", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking", "Patch"], "url": "https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "Issue Tracking", "Patch"], "url": "https://huntr.com/bounties/0e2bec70-826e-4c24-8015-31921e23fd12"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@huntr.dev", "type": "Secondary"}]}