Arbitrary Code Execution Vulnerability in Parisneo/Lollms
CVE-2024-4078
9.8CRITICAL
What is CVE-2024-4078?
A vulnerability exists in Parisneo's Lollms software that allows attackers to execute arbitrary code. This security flaw is present in the /unInstall_binding endpoint, which fails to adequately sanitize user input. Specifically, the vulnerability stems from a lack of path sanitization when processing the name parameter in the unInstall_binding function. Attackers can exploit this weakness by traversing directories, potentially loading a malicious __init__.py file and executing arbitrary commands. This issue significantly compromises the security of systems running the affected versions of the software, allowing unauthorized access and control.
Affected Version(s)
parisneo/lollms < unspecified
