CVE-2024-3322

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions up to 9.5

Description A path traversal vulnerability exists in the 'cyber security/codeguard' native personality, arising from the improper limitation of a pathname to a restricted directory in the 'process folder' function within 'lollms-webui/zoos/personalities zoo/cyber security/codeguard/scripts/processor.py'. The function fails to properly sanitize user-supplied input for the code folder path, allowing an attacker to specify arbitrary paths using '../' or absolute paths. This flaw leads to arbitrary file read and overwrite capabilities in specified directories without limitations, posing a significant risk of sensitive information disclosure and unauthorized file manipulation.

Recommendations As a temporary workaround, consider disabling the process folder function until a patch is available. Restrict access to the cyber security/codeguard native personality to minimize the risk of exploitation. Avoid using the code folder path variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.