A Path Traversal and Remote File Inclusion (RFI)...
High severity
Unreviewed
Published
Jun 25, 2024
to the GitHub Advisory Database
•
Updated Jun 25, 2024
Description
Published by the National Vulnerability Database
Jun 25, 2024
Published to the GitHub Advisory Database
Jun 25, 2024
Last updated
Jun 25, 2024
A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the
/apply_settings
function, allowing an attacker to manipulate thediscussion_db_name
parameter to traverse the file system and include arbitrary files. This issue is compounded by the bypass of input filtering in theinstall_binding
,reinstall_binding
, andunInstall_binding
endpoints, despite the presence of asanitize_path_from_endpoint(data.name)
filter. Successful exploitation enables an attacker to upload and execute malicious code on the victim's system, leading to Remote Code Execution (RCE).References