A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to manipulate the `discussion_db_name` parameter to traverse the file system and include arbitrary files. This issue is compounded by the bypass of input filtering in the `install_binding`, `reinstall_binding`, and `unInstall_binding` endpoints, despite the presence of a `sanitize_path_from_endpoint(data.name)` filter. Successful exploitation enables an attacker to upload and execute malicious code on the victim's system, leading to Remote Code Execution (RCE).
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 09 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Lollms
Lollms lollms Web Ui
CPEs cpe:2.3:a:lollms:lollms_web_ui:9.7:*:*:*:*:*:*:*
Vendors & Products Lollms
Lollms lollms Web Ui

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2024-08-01T20:40:47.296Z

Reserved: 2024-05-04T20:37:18.531Z

Link: CVE-2024-4498

cve-icon Vulnrichment

Updated: 2024-08-01T20:40:47.296Z

cve-icon NVD

Status : Analyzed

Published: 2024-06-25T20:15:12.127

Modified: 2025-07-09T14:24:04.403

Link: CVE-2024-4498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.