Path Traversal Vulnerability in Parisneo Lollms Package

CVE-2024-6139

Summary

A path traversal vulnerability is present in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability enables an attacker to write audio files to arbitrary locations within the system and allows file path enumeration. The root cause stems from insufficient validation of user-provided file paths during the interaction with the tts_to_file endpoint, posing significant risks to system integrity and data confidentiality.

References