CVE-2024-9920

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui version v12

Description The issue arises from the 'Send file to AL' function, which allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the "/open file" API endpoint to execute these files. The problem stems from the use of subprocess.Popen to open files without proper validation, leading to potential remote code execution.

Recommendations For version v12, consider disabling the 'Send file to AL' function until a patch is available. As a temporary workaround, restrict access to the "/open file" API endpoint to minimize the risk of exploitation. Avoid using the subprocess.Popen function to open files without proper validation until the issue is resolved.