Path Traversal Vulnerability in Lollms-Webui Could Lead to Remote Code Execution
CVE-2024-3435

8.4HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 16 May 2024

Summary

A vulnerability exists in the 'save_settings' endpoint of the Lollms-WebUI application due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function. This flaw enables an attacker to exploit the application by sending specially crafted JSON payloads, allowing unauthorized manipulation of application configurations. The vulnerability could be exploited to execute remote code, potentially bypassing security patches designed to protect against such attacks.

Affected Version(s)

parisneo/lollms-webui < 9.5

References

https://huntr.com/bounties/494f349a-8650-4d30-a0bd-4742fd...

https://github.com/parisneo/lollms-webui/commit/bb99b59e7...

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 7, 2024