VYPR
← All advisories
Moderate severityNVD Advisory· Published May 30, 2024· Updated Aug 1, 2024

Path Traversal in parisneo/lollms-webui

CVE-2024-4330

Description

A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory structure and view the contents of any folder, albeit limited to subfolder names only. This issue was demonstrated via a specific HTTP request that manipulated the 'category' parameter to access arbitrary directories. The vulnerability is present in the code located at the 'endpoints/lollms_advanced.py' file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in lollms-webui’s list_personalities endpoint allows attackers to enumerate subfolder names by manipulating the category parameter.

Vulnerability

Description

CVE-2024-4330 is a path traversal vulnerability in the parisneo/lollms-webui repository, version 9.6. The flaw resides in the list_personalities endpoint within the endpoints/lollms_advanced.py file. The application fails to properly sanitize user-supplied input for the category parameter, allowing an attacker to traverse directories via a crafted HTTP request [1].

Exploitation

An attacker can exploit this by sending a malicious request where the category parameter contains path traversal sequences (e.g., ../). Successful exploitation reveals the names of subfolders in arbitrary directories, but not the contents of files. The issue was demonstrated by manipulating the category parameter to access directories outside the intended scope [3].

Impact

While only subfolder names are disclosed, this information can aid attackers in mapping the directory structure, potentially leading to further attacks. The vulnerability is classified as low severity due to the limited disclosure, but it violates the principle of least privilege and may expose sensitive paths [1].

Mitigation

As of the publication date (2024-05-30), a patch has not been confirmed. Users of version 9.6 should monitor the official repository [2] for updates and apply any fixes promptly. The issue was reported via a bug bounty platform [3], suggesting the vendor may be working on a resolution.

References
  1. NVD - CVE-2024-4330
  2. GitHub - ParisNeo/lollms: An all in one AI solution compatible with any known AI service on the planet
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • ghsa-coords
    pkg:pypi/lollms
  • parisneo/parisneo/lollms-webuiv5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.