Path Traversal in parisneo/lollms
CVE-2024-5824

7.4HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 27 June 2024

Summary

A path traversal vulnerability exists in the /set_personality_config endpoint of the Parisneo Lollms application, specifically in version 9.4.0. This vulnerability allows an attacker to exploit improper handling of file paths to overwrite the configs/config.yaml file. By manipulating this configuration file, an attacker can change critical server properties such as force_accept_remote_access and turn_on_code_validation, ultimately leading to the execution of arbitrary code on the server. This poses significant risks to the security integrity of affected systems.

Affected Version(s)

parisneo/lollms < unspecified

References

https://huntr.com/bounties/9ceb7cf9-a7cd-4699-b3f8-d0999d...

https://github.com/parisneo/lollms/commit/eda3af5f5c4ea9b...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 27, 2024