CVE-2024-9597

Name of the Vulnerable Software and Affected Versions parisneo/lollms version v12

Description A Path Traversal issue exists in the "/wipe database" endpoint, allowing an attacker to delete any directory on the system. This is due to improper validation of the key parameter, which is used to construct file paths. An attacker can exploit this by sending a specially crafted HTTP request to delete arbitrary directories.

Recommendations For parisneo/lollms version v12, as a temporary workaround, consider restricting access to the "/wipe database" endpoint until a patch is available. Additionally, avoid using the key parameter in the affected endpoint to minimize the risk of exploitation.