A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-05-16T09:03:49.562Z

Updated: 2024-08-08T14:40:25.921Z

Reserved: 2024-04-23T14:42:00.879Z

Link: CVE-2024-4078

cve-icon Vulnrichment

Updated: 2024-08-01T20:33:51.663Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-05-16T09:15:15.313

Modified: 2024-11-21T09:42:09.057

Link: CVE-2024-4078

cve-icon Redhat

No data.