CRITICAL🇵🇱 Wersja polska

CVE-2024-2624

CVSS 9.8v3.1pub. 2024-06-06upd. 2024-11-21

A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due to insufficient sanitization of user-supplied input for the `path` parameter, allowing an attacker to specify arbitrary file system paths. This flaw enables direct arbitrary file uploads, leakage of `personal_data`, and overwriting of configurations in `lollms-webui`->`configs` by exploiting the same named directory in `personal_data`. The issue affects the latest version of the application and is fixed in version 9.4. Successful exploitation could lead to sensitive information disclosure, unauthorized file uploads, and potentially remote code execution by overwriting critical configuration files.

🤖 AI Analysis
How it works

The vulnerability is located in the `@router.get("/switch_personal_path")` endpoint in the `lollms_core/lollms/server/endpoints/lollms_user.py` file. The `path` parameter passed by the user is not properly validated or sanitized, allowing an attacker to specify any path in the file system (CWE-22, CWE-29). The exploit enables direct file uploads to selected locations, data leakage from the `personal_data` directory, and configuration overwriting in the `configs` directory through use of an identically named directory in `personal_data`. Overwriting critical configuration files can lead to arbitrary code execution (RCE).

Impact

An attacker can gain access to sensitive user data, upload arbitrary files to the server, overwrite application configuration files, and consequently lead to remote code execution (RCE) on the server hosting the application.

Mitigation & patch

The lollms-webui application should be updated to version 9.4 or newer, in which the vulnerability has been fixed. The patch is available in commit aeba79f3ea934331b8ecd625a58bae6e4f7e7d3f in the manufacturer's GitHub repository.

Who is affected

The parisneo/lollms-webui application — versions prior to 9.4 (vulnerability present in the latest version at the time of publication).

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lollms Web Ui

    APP
    Lollms
    < 9.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2026-33340CRITICAL9.1PL ✓ten sam produkt

SSRF i brak uwierzytelnienia w lollms-webui — dostęp do wewnętrznych zasobów

CVE-2024-8898CRITICAL9.8PL ✓ten sam produkt

Path traversal w API install/uninstall lollms-webui V12 (Strawberry)

CVE-2024-8581CRITICAL9.1PL ✓ten sam produkt

Path Traversal w lollms-webui umożliwia usunięcie dowolnego pliku

CVE-2024-1873CRITICAL9.1PL ✓ten sam produkt

Path Traversal i DoS w endpoint /select_database aplikacji lollms-webui

CVE-2024-2359CRITICAL9.8PL ✓ten sam produkt

Command Injection w lollms-webui — obejście zabezpieczeń i RCE