CVE-2024-9919

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version V13

Description A missing authentication check in the uninstall endpoint allows attackers to perform unauthorized directory deletions. The "/uninstall/{app name}" API endpoint does not call the check access() function to verify the client id, enabling attackers to delete directories without proper authentication.

Recommendations For parisneo/lollms-webui version V13, as a temporary workaround, consider disabling the /uninstall/{app name} API endpoint until a patch is available. Restrict access to the uninstall functionality to minimize the risk of exploitation. Avoid using the app name parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.