CVE-2024-4841

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions v9.6 through the latest

Description A Path Traversal issue exists due to the lack of input sanitization in the add reference to local mode function. This allows an attacker to predict the folders, subfolders, and files present on the victim's computer by exploiting how the application handles the path parameter in HTTP requests to the "/add reference to local model" endpoint.

Recommendations For versions v9.6 through the latest, as a temporary workaround, consider disabling the add reference to local mode function until a patch is available. Restrict access to the "/add reference to local model" endpoint to minimize the risk of exploitation. Avoid using the path parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.