
We found results for “”
CVE-2024-6982
Good to know:

Date: March 20, 2025
A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's "eval()" function to evaluate mathematical expressions within a Python sandbox that disables "__builtins__" and only allows functions from the "math" module. This sandbox can be bypassed by loading the "os" module using the "_frozen_importlib.BuiltinImporter" class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.
Severity Score
Related Resources (5)
Severity Score
Weakness Type (CWE)
Improper Control of Generation of Code ('Code Injection')
CWE-94Top Fix

CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | LOCAL |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | HIGH |
Availability (A): | HIGH |