CVE-2024-2360

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version latest

Description The issue is related to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these settings to execute arbitrary code on the targeted server. The vulnerability stems from the application's handling of the discussion db name and pdf latex path parameters, which do not properly validate file paths, allowing for directory traversal. This vulnerability can also lead to further file exposure and other attack vectors by manipulating the discussion db name parameter.

Recommendations As a temporary workaround, consider disabling the manipulation of the discussion db name and pdf latex path parameters until a patch is available. Restrict access to the 'Database path' and 'PDF LaTeX path' settings to minimize the risk of exploitation. Avoid using the discussion db name parameter in a way that could lead to directory traversal until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.