Parisneo Lollms Vulnerable to Local File Inclusion Attacks
CVE-2024-4315
9.1CRITICAL
Summary
The vulnerability in Lollms version 9.5, developed by Parisneo, arises from inadequate sanitization of file paths, specifically concerning Windows-style paths. The flaw in the sanitize_path_from_endpoint function permits attackers to exploit Local File Inclusion (LFI) attacks, resulting in the potential for directory traversal on Windows systems. This exploitation can take place through multiple endpoints, including personalities and /del_preset, granting unauthorized access to read or delete files within the Windows filesystem. As a consequence, this vulnerability poses significant risks to system integrity and availability.
Affected Version(s)
parisneo/lollms < 9.8
References
CVSS V3.1
Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published