Local File Inclusion Vulnerability in parisneo/lollms-webui

CVE-2024-2356

What is CVE-2024-2356?

A Local File Inclusion (LFI) vulnerability has been identified in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application. This issue arises when a malicious name parameter is injected, allowing the server to load and execute arbitrary Python files from the upload directory, potentially leading to Remote Code Execution (RCE). The vulnerability stems from insecurely concatenating data.name with lollmsElfServer.lollms_paths.extensions_zoo_path, which is then used in the ExtensionBuilder().build_extension() call. The flawed handling of Python files, particularly the __init__.py file, may facilitate unauthorized code execution, especially when the application runs in headless mode or binds to 0.0.0.0. Notably, exploitation does not require user interaction, making it crucial for users of this application to assess their security posture.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References