CVE-2024-4322

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version (affected versions not specified)

Description A path traversal issue exists, specifically within the "/list personalities" endpoint, allowing an attacker to traverse the directory structure by manipulating the category parameter. This is due to improper handling of user-supplied input in the list personalities function. Successful exploitation could allow an attacker to list all folders in the drive on the system, potentially leading to information disclosure.

Recommendations For the affected version, consider disabling the /list personalities endpoint until a patch is available. Restrict access to the list personalities function to minimize the risk of exploitation. Avoid using the category parameter in the affected API endpoint until the issue is resolved.