CVE-2024-2362

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version 9.3

Description A path traversal vulnerability exists due to improper validation of file paths between Windows and Linux environments, allowing an attacker to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del preset' endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences ('..'). As a result, an attacker can send a specially crafted request to the 'del preset' endpoint to delete files outside of the intended directory.

Recommendations For parisneo/lollms-webui version 9.3, consider disabling the 'del preset' endpoint until a patch is available to prevent exploitation. Restrict access to this endpoint to minimize the risk of file deletion. Avoid using absolute paths or directory traversal sequences ('..') in the 'del preset' endpoint to prevent bypassing input validation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.