CVE-2024-4498 — Path Traversal in Lollms-webui

CWE-22 — Path Traversal2 documents2 sources

Severity

7.7HIGHNVD

EPSS

0.1%

top 66.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Lollms WEB UI

Timeline

PublishedJun 25

Description

A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to manipulate the `discussion_db_name` parameter to traverse the file system and include arbitrary files. This issue is compounded by the bypass of input filtering in the `install_binding`, `reinstall_binding`, and `unInstall_binding…

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.0 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — latest

▶NVDlollms/lollms_web_ui9.7

Patches

Patch: huntr.com ↗Patch: huntr.com ↗

🔴Vulnerability Details

GHSA

GHSA-4cwh-j7h3-gc75: A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9↗2024-06-25

▶