CVE-2024-2624

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions prior to 9.4

Description A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the /switch personal path endpoint in ./lollms-webui/lollms core/lollms/server/endpoints/lollms user.py. The vulnerability arises due to insufficient sanitization of user-supplied input for the path parameter, allowing an attacker to specify arbitrary file system paths. This flaw enables direct arbitrary file uploads, leakage of personal data, and overwriting of configurations in lollms-webui->configs by exploiting the same named directory in personal data. Successful exploitation could lead to sensitive information disclosure, unauthorized file uploads, and potentially remote code execution by overwriting critical configuration files.

Recommendations Update to version 9.4 to fix the path traversal vulnerability and protect against data breaches and unauthorized access. As a temporary workaround, consider restricting access to the @router.get("/switch personal path") endpoint until the issue is resolved. Avoid using the path parameter in the affected API endpoint until the issue is resolved.