CVE-2024-4320 Information

Description

A remote code execution (RCE) vulnerability exists in the ‘/install_extension’ endpoint of the parisneo/lollms-webui application specifically within the @router.post(\/install_extension\) route handler. The vulnerability arises due to improper handling of the name parameter in the ExtensionBuilder().build_extension() method which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerability by crafting a malicious name parameter that causes the server to load and execute a __init__.py file from an arbitrary location such as the upload directory for discussions. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to remote code execution without requiring user interaction especially when the application is exposed to an external endpoint or operated in headless mode.

Reference

https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b