Lucene search

@huntr_aiCVELIST:CVE-2024-4841

HistoryJun 23, 2024 - 2:33 p.m.

CVE-2024-4841 Path Traversal in parisneo/lollms-webui

2024-06-2314:33:33

CWE-29

@huntr_ai

www.cve.org

path traversal

parisneo/lollms-webui

input sanitization

http requests

vulnerability

version 9.6+ .

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

Percentile

9.1%

JSON

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the ‘add_reference_to_local_mode’ function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim’s computer. The vulnerability is present in the way the application handles the ‘path’ parameter in HTTP requests to the ‘/add_reference_to_local_model’ endpoint.

CNA Affected

[
  {
    "vendor": "parisneo",
    "product": "parisneo/lollms-webui",
    "versions": [
      {
        "version": "unspecified",
        "status": "affected",
        "versionType": "custom",
        "lessThanOrEqual": "latest"
      }
    ]
  }
]

References

huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

Percentile

9.1%

JSON

Related for CVELIST:CVE-2024-4841