High

lollms

Path Traversal Leading to Remote Code Execution

A path traversal vulnerability in version 9.4.0 allows attackers to overwrite the `configs/config.yaml` file via the `/set_personality_config` endpoint, leading to remote code execution. This issue was patched in the latest version.

Available publicly on Jun 15 2024

7.4

CVE:

CVE-2024-5824

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

nhienit2010
AssessDetect

Premium

Remediate
Remediation Steps
  • Update to the latest version of the software.
  • Ensure proper sanitization of input values in the /set_personality_config endpoint.
  • Implement additional validation checks to prevent path traversal attacks.
  • Regularly review and audit code for security vulnerabilities.
Patch Details
  • Fixed Version: latest
  • Patch Commit: https://github.com/ParisNeo/lollms/commit/eda3af5f5c4ea9b2f3569f72f8d05989e29367fc
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.