CVE-2024-4315

Name of the Vulnerable Software and Affected Versions parisneo/lollms version 9.5

Description The issue arises from insufficient path sanitization, allowing Local File Inclusion (LFI) attacks. The sanitize path from endpoint function fails to properly sanitize Windows-style paths (backward slash ``), enabling directory traversal attacks on Windows systems. This can be exploited through various routes, including personalities and /del preset, to read or delete any file on the Windows filesystem, compromising the system's availability.

Recommendations For parisneo/lollms version 9.5, consider disabling the sanitize path from endpoint function until a patch is available, and restrict access to the /del preset and personalities routes to minimize the risk of exploitation. Additionally, avoid using Windows-style paths (backward slash ``) in the affected API endpoints until the issue is resolved.