CVE-2024-6250

Name of the Vulnerable Software and Affected Versions: parisneo/lollms-webui version 9.6

Description: An absolute path traversal issue exists, specifically in the "open file" endpoint of "lollms advanced.py". The sanitize path function with allow absolute path=True allows an attacker to access arbitrary files and directories on a Windows system. This can be exploited to read any file and list arbitrary directories on the affected system.

Recommendations: For parisneo/lollms-webui version 9.6, consider disabling the open file endpoint in lollms advanced.py or setting allow absolute path=False in the sanitize path function until a patch is available. Restrict access to the sanitize path function to minimize the risk of exploitation.