Vulnerability Description
A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an attacker to manipulate the application's configuration by sending specially crafted JSON payloads. This could lead to remote code execution (RCE) by bypassing existing patches designed to mitigate such vulnerabilities.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lollms | Lollms Web Ui | < 9.5 |
Related Weaknesses (CWE)
References
- https://github.com/parisneo/lollms-webui/commit/bb99b59e710d00c4f2598faa5e183fa3Patch
- https://huntr.com/bounties/494f349a-8650-4d30-a0bd-4742fda44ce5ExploitIssue TrackingPatch
- https://github.com/parisneo/lollms-webui/commit/bb99b59e710d00c4f2598faa5e183fa3Patch
- https://huntr.com/bounties/494f349a-8650-4d30-a0bd-4742fda44ce5ExploitIssue TrackingPatch
FAQ
What is CVE-2024-3435?
CVE-2024-3435 is a vulnerability with a CVSS score of 8.4 (HIGH). A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to ...
How severe is CVE-2024-3435?
CVE-2024-3435 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-3435?
Check the references section above for vendor advisories and patch information. Affected products include: Lollms Lollms Web Ui.