CVE-2024-4330

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version 9.6

Description A path traversal issue was identified due to improper handling of user-supplied input in the "list personalities" endpoint. An attacker can craft a malicious HTTP request to traverse the directory structure and view subfolder names by manipulating the category parameter. The issue is located in the 'endpoints/lollms advanced.py' file.

Recommendations For version 9.6, consider restricting access to the "list personalities" endpoint until a patch is available, or apply input validation to the category parameter to prevent directory traversal. As a temporary workaround, avoid using the category parameter in the affected endpoint to minimize the risk of exploitation.