CVE-2024-4078

Name of the Vulnerable Software and Affected Versions parisneo/lollms version latest

Description The issue is related to arbitrary code execution due to insufficient sanitization of user input. Specifically, the /unInstall binding endpoint is vulnerable, and the problem arises from the lack of path sanitization when handling the name parameter in the unInstall binding function. This allows an attacker to traverse directories and execute arbitrary code by loading a malicious init .py file. The exploitation of this issue could lead to remote code execution on the system where the software is deployed.

Recommendations For the latest version, update to a version that addresses the insufficient sanitization of user input in the /unInstall binding endpoint, specifically ensuring proper path sanitization for the name parameter in the unInstall binding function. As a temporary workaround, consider restricting access to the /unInstall binding endpoint to minimize the risk of exploitation.