CVE-2024-2360
Published: 06 June 2024
Summary
CVE-2024-2360 is a critical-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
Deeper analysis
parisneo/lollms-webui is affected by a path traversal vulnerability that can result in remote code execution. The issue stems from insufficient sanitization of user-supplied input in the Database path and PDF LaTeX path settings, specifically the discussion_db_name and pdf_latex_path parameters, which fail to validate file paths and permit directory traversal in the latest version of the software. The flaw is tracked under CWE-22 and CWE-29 and carries a CVSS 3.1 score of 9.8.
An unauthenticated attacker with network access can supply crafted values for these parameters to traverse directories, execute arbitrary code on the server, and potentially expose additional files or enable further attack chains.
The associated EPSS score rose from a low baseline to a peak of 0.0971, indicating that exploitation interest increased after disclosure. Details of the issue are documented in the referenced huntr.com bounty reports.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-27313
Vulnerability details
parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these settings…
more
to execute arbitrary code on the targeted server. The issue affects the latest version of the software. The vulnerability stems from the application's handling of the 'discussion_db_name' and 'pdf_latex_path' parameters, which do not properly validate file paths, allowing for directory traversal. This vulnerability can also lead to further file exposure and other attack vectors by manipulating the 'discussion_db_name' parameter.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- parisneo/lollms-webui is a web user interface for managing and running large language models (LLMs), fitting as an other AI platform rather than a framework, library, or specific tool category.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in web UI settings enables arbitrary file exposure (T1005, T1083) and remote code execution (T1190) due to unsanitized user input.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.