A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utilizes 'subprocess.Popen' to execute a command constructed with a Python f-string, without adequately sanitizing the 'xtts_base_url' input. This flaw allows attackers to execute arbitrary commands remotely by manipulating the 'xtts_base_url' parameter. The vulnerability affects versions up to and including the latest version before 9.5. Successful exploitation could lead to arbitrary remote code execution (RCE) on the system where the application is deployed.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-05-16T09:03:47.640Z

Updated: 2024-08-01T19:32:42.607Z

Reserved: 2024-04-01T08:27:17.093Z

Link: CVE-2024-3126

cve-icon Vulnrichment

Updated: 2024-08-01T19:32:42.607Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-05-16T09:15:13.840

Modified: 2024-05-16T13:03:05.353

Link: CVE-2024-3126

cve-icon Redhat

No data.