CVE-2024-2362: Path Traversal in parisneo/lollms-webui
First published: Thu Jun 06 2024(Updated: )
A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del_preset' endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences ('..'). As a result, an attacker can send a specially crafted request to the 'del_preset' endpoint to delete files outside of the intended directory.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Lollms Lollms Web Ui Linux | =9.3 | |
| Lollms Lollms Web Ui Windows | =9.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
- agent/title
- agent/weakness
- agent/references
- agent/first-publish-date
- agent/type
- agent/description
- agent/author
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/lollms
- canonical/lollms lollms web ui linux
- version/lollms lollms web ui linux/9.3
- canonical/lollms lollms web ui windows
- version/lollms lollms web ui windows/9.3