Path Traversal Vulnerability in Lollms-Webui
CVE-2024-6985

4.4MEDIUM

Key Information:

Vendor
Parisneo
Status
Parisneo/lollms
Vendor
CVE Published:
11 October 2024

Summary

A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.

Affected Version(s)

parisneo/lollms < 5.9.0

References

https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3b...
https://github.com/parisneo/lollms/commit/28ee567a9a12096...

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-6985 : Path Traversal Vulnerability in Lollms-Webui | SecurityVulnerability.io