Parisneo Lollms-Webui Path Traversal Vulnerability in Install and Uninstall Endpoints

A path traversal vulnerability has been identified in the 'install' and 'uninstall' API endpoints of Parisneo Lollms-Webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue stems from inadequate sanitization of user-supplied input, which can be exploited to traverse directories outside the intended path.

Impact

Exploitation of this vulnerability could lead to unauthorized creation or deletion of directories on the system, potentially disrupting normal application or system operations.

Reproduction

The vulnerability can be reproduced by sending a request to the 'install' or 'uninstall' API endpoints with a crafted 'app_name' parameter that includes path traversal sequences. The lack of proper input sanitization allows the parameter to traverse directories and manipulate the file system in unintended ways.

Remediation

Users are advised to update to the latest version of Parisneo Lollms-Webui, where this vulnerability has been addressed by improving the sanitization of input in the affected API endpoints.