Headline
GHSA-m45c-v46h-c788: lollms path traversal vulnerability allows overriding of config.yaml file, leading to RCE
A path traversal vulnerability in the /set_personality_config
endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the configs/config.yaml
file. This can lead to remote code execution by changing server configuration properties such as force_accept_remote_access
and turn_on_code_validation
.
lollms path traversal vulnerability allows overriding of config.yaml file, leading to RCE
High severity GitHub Reviewed Published Jun 27, 2024 to the GitHub Advisory Database • Updated Jun 28, 2024