CVE-2024-6394

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions below v9.8

Description A Local File Inclusion issue exists due to unverified path concatenation in the serve js function in app.py, allowing attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code.

Recommendations For versions below v9.8, update to version v9.8 or later to resolve the issue. As a temporary workaround, consider disabling the serve js function in app.py until a patch is available.