CVE-2024-6085

Name of the Vulnerable Software and Affected Versions: lollms package version v9.6

Description: A path traversal issue exists due to the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to '/'. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system.

Recommendations: For lollms package version v9.6, consider restricting access to the root folder settings to prevent unauthenticated changes, and limit the ability to modify output folders to authorized users only. As a temporary workaround, consider disabling the ability to change the root folder and output folders until a patch is available.