CVE-2024-2548

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions prior to 9.5

Description A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the lollms core/lollms/server/endpoints/lollms binding files server.py and lollms core/lollms/security.py files. Due to inadequate validation of file paths between Windows and Linux environments using Path(path).is absolute(), attackers can exploit this flaw to read any file on the system. The vulnerability is triggered when an attacker sends a specially crafted request to the "/user infos/{path:path}" endpoint, allowing the reading of arbitrary files, as demonstrated with the win.ini file.

Recommendations For versions prior to 9.5, update to version 9.5 to resolve the issue. As a temporary workaround, consider restricting access to the /user infos/{path:path} endpoint until the update is applied. Avoid using the path parameter in the affected API endpoint until the issue is resolved.