Lollms Web Ui vulnerabilities

CVE-2024-8898 [CRITICAL] CWE-22 CVE-2024-8898: A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lol A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue arises due to insufficient sanitization of user-supplied input, which can be exploited to traverse dir

CVE-2024-8581 [CRITICAL] CWE-22 CVE-2024-8581: A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an att A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the `filename` value, causing a Path Traversal error.

CVE-2024-9919 [HIGH] CWE-306 CVE-2024-9919: A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attacke A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.

CVE-2024-9920 [HIGH] CWE-434 CVE-2024-9920: In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/open_file' API endpoint to execute these files. The vulnerability arises from

CVE-2024-12766 [HIGH] CWE-918 CVE-2024-12766: parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulner parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter `{"url":"http://steal.target"}`. Existing security mechani

CVE-2025-1451 [HIGH] CWE-770 CVE-2025-1451: A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundari A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft requests with excessively long boundaries, leading to resource exhaustion and eventual denial of service (

CVE-2024-10047 [MEDIUM] CWE-36 CVE-2024-10047: parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerabilit parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.

CVE-2024-6986 [MEDIUM] CWE-79 CVE-2024-6986: A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui vers A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'full_template' variable directly as HTML. This allows an attacker to execute malicious JavaScript code by injecting a payload into the 'Sys

CVE-2024-7058 [MEDIUM] CWE-23 CVE-2024-7058: A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attack A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as './'. This can lead to unauthorized access to directories within the personality_folder on the victim's computer.

CVE-2024-10019 [MEDIUM] CWE-78 CVE-2024-10019: A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.

CVE-2024-8736 [MEDIUM] CWE-352 CVE-2024-8736: A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms- A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By

CVE-2024-6674 [HIGH] CWE-346 CVE-2024-6674: A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensi A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue

CVE-2024-6673 [MEDIUM] CWE-352 CVE-2024-6673: A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `l A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker to trick a victim into installing ComfyUI. If the victim's device does not

CVE-2024-6959 [HIGH] CWE-352 CVE-2024-6959: A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack whe A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Sit

CVE-2024-6394 [HIGH] CWE-29 CVE-2024-6394: A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulner A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive informat

CVE-2024-6040 [HIGH] CWE-352 CVE-2024-6040: In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local at

CVE-2024-4897 [HIGH] CVE-2024-4897: parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insec parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted o

CVE-2024-6250 [HIGH] CWE-36 CVE-2024-6250: An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the ` An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitr

CVE-2024-4498 [HIGH] CWE-22 CVE-2024-4498: A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui a A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to manipulate the `discussion_db_name` parameter to traverse the file system and include

CVE-2024-3322 [CRITICAL] CWE-22 CVE-2024-3322: A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the pa A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function within 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scrip