Description

A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.

INFO

Published Date :

2024-05-16T09:03:49.562Z

Last Modified :

2024-08-08T14:40:25.921Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-4078 vulnerability.

Vendors Products
Parisneo
  • Lollms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-4078.

URL Resource
https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f cve-icon cve-icon cve-icon
https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact