CVE-2024-2356

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui (affected versions not specified)

Description A Local File Inclusion (LFI) issue exists in the '/reinstall extension' endpoint of the parisneo/lollms-webui application. The vulnerability is present within the name parameter of the @router.post("/reinstall extension") route. An attacker can inject a malicious name parameter, causing the server to load and execute arbitrary Python files from the upload directory for discussions. This is due to the concatenation of data.name with lollmsElfServer.lollms paths.extensions zoo path and its use as an argument for ExtensionBuilder().build extension(). The server’s handling of the init .py file in arbitrary locations, facilitated by importlib.machinery.SourceFileLoader, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. The application is particularly vulnerable when exposed to an external endpoint or the UI, especially when bound to 0.0.0.0 or in headless mode. No user interaction is required for exploitation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.