CVE-2024-4498
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the /apply_settings function, allowing an attacker to manipulate the discussion_db_name parameter to traverse the file system and include arbitrary files. This issue is compounded by the bypass of input filtering in the install_binding, reinstall_binding, and unInstall_binding endpoints, despite the presence of a sanitize_path_from_endpoint(data.name) filter. Successful exploitation enables an attacker to upload and execute malicious code on the victim's system, leading to Remote Code Execution (RCE).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| parisneo | parisneo/lollms-webui | unspecified <= latest | affected |
Weaknesses
- CWE-22: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.