CVE-2024-8898

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version V12 (Strawberry)

Description A path traversal issue exists in the API endpoints for installation and uninstallation. This allows attackers to create or delete directories with arbitrary paths on the system. The problem arises due to insufficient sanitization of user-supplied input, which can be exploited to navigate directories outside the intended path. The install and uninstall API endpoints are specifically affected.

Recommendations For parisneo/lollms-webui version V12 (Strawberry), consider disabling the install and uninstall API endpoints until a patch is available to prevent exploitation of the path traversal vulnerability. Restrict access to these endpoints to minimize the risk of directory creation or deletion with arbitrary paths.