CVE-2024-5824

Name of the Vulnerable Software and Affected Versions: parisneo/lollms version 9.4.0

Description: A path traversal issue in the "/set personality config" endpoint allows an attacker to overwrite the configs/config.yaml file, potentially leading to remote code execution by modifying server configuration properties such as force accept remote access and turn on code validation.

Recommendations: For parisneo/lollms version 9.4.0, as a temporary workaround, consider disabling the "/set personality config" endpoint until a patch is available. Restrict access to the configs/config.yaml file to minimize the risk of exploitation. Avoid using the force accept remote access and turn on code validation properties in the server configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.