Description

parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including `personalities` and `/del_preset`, to read or delete any file on the Windows filesystem, compromising the system's availability.

INFO

Published Date :

2024-06-12T00:40:15.768Z

Last Modified :

2025-10-15T12:50:24.257Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-4315 vulnerability.

Vendors Products
Parisneo
  • Lollms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-4315.

URL Resource
https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6 cve-icon cve-icon cve-icon
https://huntr.com/bounties/8a1b0197-2c36-4276-b92b-630a2a9bb09c cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact