CVE-2024-5824 — Path Traversal in Lollms

CWE-22 — Path Traversal5 documents4 sources

Severity

7.4HIGHNVD

OSV7.5

EPSS

1.4%

top 19.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms Lollms Squid

Timeline

PublishedJun 27

Latest updateJan 11

Description

A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as `force_accept_remote_access` and `turn_on_code_validation`.

CVSS vector

CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 1.4 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5parisneo/parisneo_lollmsunspecified — latest

▶PyPIlollms/lollms< 9.5.0

▶Ubuntusquid/squid< 4.10-1ubuntu1.10+1

🔴Vulnerability Details

OSV

lollms path traversal vulnerability allows overriding of config.yaml file, leading to RCE↗2024-06-27

▶

GHSA

lollms path traversal vulnerability allows overriding of config.yaml file, leading to RCE↗2024-06-27

▶

OSV

squid vulnerabilities↗2024-04-10

▶

📋Vendor Advisories

Red Hat

kernel: nilfs2: prevent use of deleted inode↗2025-01-11

▶