CVE-2024-4498

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions v9.7 through the latest

Description A Path Traversal and Remote File Inclusion (RFI) issue exists due to insufficient input validation in the /apply settings function, allowing an attacker to manipulate the discussion db name parameter to traverse the file system and include arbitrary files. This issue is compounded by the bypass of input filtering in the install binding, reinstall binding, and unInstall binding endpoints, despite the presence of a sanitize path from endpoint(data.name) filter. Successful exploitation enables an attacker to upload and execute malicious code on the victim's system, leading to Remote Code Execution (RCE).

Recommendations As a temporary workaround, consider disabling the /apply settings function and restricting access to the install binding, reinstall binding, and unInstall binding endpoints until a patch is available. Avoid using the discussion db name parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.