Path Traversal Vulnerability in Parisneo's Lollms-Webui Affects Remote Code Execution
CVE-2024-2360
9.8CRITICAL
What is CVE-2024-2360?
The vulnerability in parisneo's Lollms WebUI arises from inadequate validation of user-supplied inputs related to the 'Database path' and 'PDF LaTeX path'. An attacker can manipulate these parameters to launch path traversal attacks, leading to the execution of arbitrary code on the targeted server. This flaw exploits the application's handling of 'discussion_db_name' and 'pdf_latex_path', where improper sanitization allows access to restricted directories. Consequently, this vulnerability not only facilitates remote code execution but also exposes additional files, potentially opening up further attack vectors.
Affected Version(s)
parisneo/lollms-webui <= unspecified