CVE-2024-2366

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version latest

Description A remote code execution issue exists due to insufficient path sanitization in the reinstall binding functionality. This allows an attacker to exploit path traversal and navigate to arbitrary directories. By manipulating the binding path to point to a controlled directory and uploading a malicious init .py file, an attacker can execute arbitrary code on the server.

Recommendations For the latest version, consider disabling the reinstall binding functionality until a patch is available to prevent exploitation. Restrict access to the lollms binding infos.py endpoint to minimize the risk of arbitrary code execution. Avoid using the binding path variable in the affected endpoint until the issue is resolved.