Path Traversal Vulnerability in Lollms-Webui Affects Versions Up to 9.5
CVE-2024-3322
9.8CRITICAL
Key Information:
- Vendor
- Parisneo
- Status
- Parisneo/lollms-webui
- Vendor
- CVE Published:
- 6 June 2024
Summary
A path traversal vulnerability has been identified in the native personality 'codeguard' of the parisneo/lollms-webui, affecting all versions up to 9.5. This vulnerability arises from the inadequate restriction of user-supplied input to the 'process_folder' function defined in processor.py. The flaw enables an attacker to bypass directory limitations by using '../' or absolute paths, which exposes the application to arbitrary file read and overwrite actions. Consequently, this can result in the unauthorized disclosure of sensitive information and manipulation of files in the specified directories, representing a critical security issue for users of the product.
Affected Version(s)
parisneo/lollms-webui < 9.5
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database