Path Traversal Vulnerability in Lollms-Webui Could Lead to Information Disclosure
CVE-2024-4322

7.5HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms-webui
Vendor: CVE Published:; 16 May 2024

Summary

The vulnerability in the ParisNeo Lollms-WebUI application allows an attacker to exploit the /list_personalities endpoint. By manipulating the category parameter, it is possible to traverse the directory structure of the server. This improper handling of user input can be leveraged to list the contents of sensitive directories, potentially exposing critical information stored on the system. The issue remains present in the latest version of the application, highlighting the need for immediate mitigation measures.

Affected Version(s)

parisneo/lollms-webui <= unspecified

References

https://huntr.com/bounties/5116d858-ce00-418c-a5a5-851c56...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 29, 2024