Login Sign Up

CVE-2024-2362

9.1 CRITICAL
Path Traversal

📋 TL;DR

A path traversal vulnerability in parisneo/lollms-webui version 9.3 on Windows allows attackers to delete any file on the system by exploiting improper path validation in the 'del_preset' endpoint. This affects Windows users running the vulnerable version of the web UI. Attackers can use directory traversal sequences to access files outside intended directories.

💻 Affected Systems

Products:
  • parisneo/lollms-webui
Versions: 9.3
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows installations due to path handling differences between Windows and Linux environments.

📦 What is this software?

Lollms Web Ui by Lollms

View all CVEs affecting Lollms Web Ui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via deletion of critical system files, leading to OS corruption, data loss, or service disruption.

🟠

Likely Case

Unauthorized deletion of application files, configuration files, or user data, causing service disruption and potential data loss.

🟢

If Mitigated

Limited to deletion of files within the intended preset directory if proper input validation is implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the 'del_preset' endpoint, which may require authentication depending on configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.4 or later

Vendor Advisory: https://huntr.com/bounties/2433d0a4-9ba0-474b-be1a-6fd5019770ba

Restart Required: Yes

Instructions:

1. Update to version 9.4 or later. 2. Restart the lollms-webui service. 3. Verify the fix by testing the 'del_preset' endpoint with traversal attempts.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement server-side validation to reject absolute paths and directory traversal sequences in the 'del_preset' endpoint.

Modify the endpoint handler to sanitize input paths before processing.

Endpoint Restriction

all

Restrict access to the 'del_preset' endpoint to trusted users or disable it if not needed.

Configure firewall rules or application-level access controls to limit endpoint access.

🧯 If You Can't Patch

  • Implement network segmentation to isolate the lollms-webui instance from critical systems.
  • Enable detailed logging for the 'del_preset' endpoint and monitor for suspicious deletion attempts.

🔍 How to Verify

Check if Vulnerable:

Check if running version 9.3 on Windows and test the 'del_preset' endpoint with a traversal payload (e.g., '../../windows/system32/testfile').

Check Version:

Check the application version in the web UI interface or configuration files.

Verify Fix Applied:

After updating, test the 'del_preset' endpoint with traversal payloads to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Log entries showing file deletion attempts with '..' sequences or absolute paths in the 'del_preset' endpoint.

Network Indicators:

  • HTTP requests to the 'del_preset' endpoint containing path traversal sequences.

SIEM Query:

source="lollms-webui" AND endpoint="del_preset" AND (path="*..*" OR path="*:*")

📊 Metadata

CVE ID: CVE-2024-2362
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-36
Published: June 6, 2024
Last Updated: February 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2362, you might also want to check these:

CVE-2023-3765 10.0

This vulnerability allows attackers to perform absolute path traversal attacks in MLflow deployments...

Same vulnerability type (CWE-36)
CVE-2025-0851 9.8

A path traversal vulnerability in Deep Java Library's ZipUtils.unzip and TarUtils.untar functions al...

Same vulnerability type (CWE-36)
CVE-2024-9924 9.8

This vulnerability allows unauthenticated remote attackers to download arbitrary system files from O...

Same vulnerability type (CWE-36)