Описание
lollms path traversal vulnerability allows overriding of config.yaml file, leading to RCE
A path traversal vulnerability in the /set_personality_config endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the configs/config.yaml file. This can lead to remote code execution by changing server configuration properties such as force_accept_remote_access and turn_on_code_validation.
Пакеты
Наименование
lollms
pip
Затронутые версииВерсия исправления
< 9.5.0
9.5.0
Связанные уязвимости
CVSS3: 7.4
nvd
больше 1 года назад
A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as `force_accept_remote_access` and `turn_on_code_validation`.