CVE-2024-1601
Published: 16 April 2024
Summary
CVE-2024-1601 is a critical-severity SQL Injection (CWE-89) vulnerability in Lollms Lollms-Webui. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
An SQL injection vulnerability exists in the delete_discussion() function of the parisneo/lollms-webui application. The flaw stems from improper neutralization of special elements in SQL commands and is reachable via the /delete_discussion HTTP endpoint, where an attacker-controlled "id" parameter is used directly in database queries against the discussion and message tables.
An unauthenticated remote attacker can submit a crafted POST request containing a malicious payload in the id field. Successful exploitation deletes all records from the discussion and message tables, resulting in complete loss of conversation history and associated data. The issue carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
Public references point to a fix merged in commit f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46 on the upstream repository, along with a detailed report published on huntr.com that describes the same injection vector and remediation.
EPSS scores have remained low and stable near 0.05 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-17342
Vulnerability details
An SQL injection vulnerability exists in the `delete_discussion()` function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to the `/delete_discussion` endpoint, which internally calls…
more
the vulnerable `delete_discussion()` function. By sending a specially crafted payload in the 'id' parameter, an attacker can manipulate SQL queries to delete all records from the 'discussion' and 'message' tables. This issue is due to improper neutralization of special elements used in an SQL command.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.