cbcvebase.
CVE-2024-2361
published 2024-05-16

CVE-2024-2361: A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically…

PriorityP356critical9.6CVSS 3.0
AVNACLPRNUIRSCCHIHAH
EPSS
0.63%
45.8th percentile
A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails to properly sanitize the `file://` protocol and other inputs, leading to arbitrary read and upload capabilities. Attackers can exploit this vulnerability by manipulating the `path` and `variant_name` parameters to achieve path traversal, allowing for the reading of arbitrary files and uploading files to arbitrary locations on the server. This vulnerability affects the latest version of parisneo/lollms-webui.

Affected

2 ranges
VendorProductVersion rangeFixed in
lollmslollms_web_ui< 9.59.5
parisneoparisneo_lollms-webuiunspecified – latest

CVSS provenance

nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.