Sightline

Critical

lollms

Windows Path Traversal

A vulnerability in the lollms application allows attackers to perform directory traversal attacks on Windows systems due to improper sanitization of Windows-style paths. The issue affects version 9.5 and was patched in version 9.8.

Available publicly on Jun 12 2024 | Available with Premium on May 21 2024

CVE:

CVE-2024-4315

CWE:

98:Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Credit:

0xanis

Assess Detect

Premium

Remediate

Remediation Steps

Update to lollms version 9.8 or later.
Ensure that all path sanitization functions properly handle Windows-style paths (backslashes).
Regularly audit and test security measures to prevent directory traversal and other types of attacks.
Consider implementing additional layers of security, such as firewalls and intrusion detection systems, to mitigate the risk of exploitation.

Patch Details

Fixed Version: 9.8
Patch Commit: https://github.com/ParisNeo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 568- related security advisories that are available with Sightline Premium.