CVE-2024-6985

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui (affected versions not specified) parisneo/lollms (affected versions not specified)

Description A path traversal issue exists due to improper sanitization of the personality folder parameter in the "api open personality folder" endpoint. This allows an attacker to read any folder in the personality folder on the victim's computer and access arbitrary files, despite sanitize path being set.

Recommendations For parisneo/lollms-webui, as a temporary workaround, consider restricting access to the "api open personality folder" endpoint until a patch is available. For parisneo/lollms, avoid using the personality folder parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.