CVE-2024-3435

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions prior to 9.5

Description A path traversal issue exists in the "save settings" endpoint due to insufficient sanitization of the config parameter in the apply settings function. This allows an attacker to manipulate the application's configuration by sending specially crafted JSON payloads, potentially leading to remote code execution (RCE) by bypassing existing patches.

Recommendations For versions prior to 9.5, as a temporary workaround, consider disabling the apply settings function until a patch is available. Restrict access to the "save settings" endpoint to minimize the risk of exploitation. Avoid using the config parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.