CRITICAL🇵🇱 Wersja polska

CVE-2024-8898

CVSS 9.8v3.1pub. 2025-03-20upd. 2025-04-01

A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue arises due to insufficient sanitization of user-supplied input, which can be exploited to traverse directories outside the intended path.

🤖 AI Analysis
How it works

The vulnerability results from insufficient input data sanitization provided by the user in the API endpoints `install` and `uninstall`. An attacker can craft a request containing path traversal sequences (e.g., `../`), which cause exit from the intended target directory. As a result, the application processes paths outside the permitted file system area, allowing manipulation of directory structure on the server.

Impact

An unauthenticated attacker can create or delete directories in arbitrary locations on the server, which may lead to system integrity violation, deletion of critical data, or disruption of application and operating system functionality.

Mitigation & patch

Update lollms-webui to a version containing the fix available in commit 6d07c8a0dd0a15cc060becc73fda9fe8e788eb23 in the manufacturer's GitHub repository. Apply patches available from the vendor according to references.

Who is affected

parisneo/lollms-webui version V12 (Strawberry)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lollms Web Ui

    APP
    Lollms
    12
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
References

Related vulnerabilities

CVE-2026-33340CRITICAL9.1PL ✓ten sam produkt

SSRF i brak uwierzytelnienia w lollms-webui — dostęp do wewnętrznych zasobów

CVE-2024-8581CRITICAL9.1PL ✓ten sam produkt

Path Traversal w lollms-webui umożliwia usunięcie dowolnego pliku

CVE-2024-1873CRITICAL9.1PL ✓ten sam produkt

Path Traversal i DoS w endpoint /select_database aplikacji lollms-webui

CVE-2024-2359CRITICAL9.8PL ✓ten sam produkt

Command Injection w lollms-webui — obejście zabezpieczeń i RCE

CVE-2024-2360CRITICAL9.8PL ✓ten sam produkt

Path Traversal prowadzący do RCE w parisneo/lollms-webui