CVE-2024-2361

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui (affected versions not specified)

Description A vulnerability in parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. The issue resides in the install model() function within lollms core/lollms/binding.py, where the application fails to properly sanitize the file:// protocol and other inputs, leading to arbitrary read and upload capabilities. Attackers can exploit this vulnerability by manipulating the path and variant name parameters to achieve path traversal, allowing for the reading of arbitrary files and uploading files to arbitrary locations on the server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.