CVE-2024-1522

Description

A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victims system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victims local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victims system without requiring direct network access to the vulnerable application.