AVID-2026-R1395

Description

Path Traversal Vulnerability in parisneo/lollms-webui (CVE-2024-1511)

Details

The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by exploiting various endpoints. The vulnerability can be exploited even when the service is bound to localhost, through cross-site requests facilitated by malicious HTML/JS pages.

Reason for inclusion in AVID: CVE-2024-1511 documents a path traversal vulnerability in parisneo/lollms-webui, enabling unauthenticated attackers to read, write, and potentially execute arbitrary files via the web UI. This is a software vulnerability in a component commonly used to host or serve AI models (AI deployment/UI stack). As such, it directly pertains to the software supply chain of general-purpose AI systems (model serving stacks, UI front-ends, and related tooling) rather than hardware/firmware. The CVE details (path traversal CWE-22, CVSSv3.0 9.8, network-based, no user interaction) provide clear security risk signals and references, supporting its relevance to AI software supply chains.

References

• NVD entry
• https://huntr.com/bounties/62b77589-772d-4d6e-aef4-2aec4cfe5f8b

Affected or Relevant Artifacts

• Developer: parisneo
• Deployer: parisneo
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-04-10
• Version: 0.3.3
• AVID Entry