Cyber Resilience

CVE-2024-2360

CriticalPublic PoC

Published: 06 June 2024

Published
06 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0529 90.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-2360 is a critical-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

Deeper analysis

parisneo/lollms-webui is affected by a path traversal vulnerability that can result in remote code execution. The issue stems from insufficient sanitization of user-supplied input in the Database path and PDF LaTeX path settings, specifically the discussion_db_name and pdf_latex_path parameters, which fail to validate file paths and permit directory traversal in the latest version of the software. The flaw is tracked under CWE-22 and CWE-29 and carries a CVSS 3.1 score of 9.8.

An unauthenticated attacker with network access can supply crafted values for these parameters to traverse directories, execute arbitrary code on the server, and potentially expose additional files or enable further attack chains.

The associated EPSS score rose from a low baseline to a peak of 0.0971, indicating that exploitation interest increased after disclosure. Details of the issue are documented in the referenced huntr.com bounty reports.

EU & UK References

Vulnerability details

parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these settings…

more

to execute arbitrary code on the targeted server. The issue affects the latest version of the software. The vulnerability stems from the application's handling of the 'discussion_db_name' and 'pdf_latex_path' parameters, which do not properly validate file paths, allowing for directory traversal. This vulnerability can also lead to further file exposure and other attack vectors by manipulating the 'discussion_db_name' parameter.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
parisneo/lollms-webui is a web user interface for managing and running large language models (LLMs), fitting as an other AI platform rather than a framework, library, or specific tool category.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal in web UI settings enables arbitrary file exposure (T1005, T1083) and remote code execution (T1190) due to unsanitized user input.

Affected Assets

lollms
lollms web ui
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References