A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-05-16T09:03:49.562Z
Updated: 2024-08-08T14:40:25.921Z
Reserved: 2024-04-23T14:42:00.879Z
Link: CVE-2024-4078
Vulnrichment
Updated: 2024-08-01T20:33:51.663Z
NVD
Status : Awaiting Analysis
Published: 2024-05-16T09:15:15.313
Modified: 2024-11-21T09:42:09.057
Link: CVE-2024-4078
Redhat
No data.