CVE-2024-4315 — Path Traversal in Lollms

CWE-22 — Path Traversal CWE-184 — Incomplete List of Disallowed Inputs5 documents4 sources

Severity

9.1CRITICALNVD

EPSS

0.9%

top 24.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms Lollms

Timeline

PublishedJun 12

Description

parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including `personalities` and `/del_preset`, to read or delete any file on the Windows filesystem, compromising the system's availa…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollmsunspecified — 9.8

▶PyPIlollms/lollms< 9.5.0

🔴Vulnerability Details

GHSA

parisneo/lollms Local File Inclusion (LFI) attack↗2024-06-12

▶

OSV

parisneo/lollms Local File Inclusion (LFI) attack↗2024-06-12

▶

📐Framework References

CWE

Incomplete List of Disallowed Inputs↗

▶

CWE

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')↗

▶