1213 matches found
CVE-2024-7037 Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...
CVE-2024-7037 Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...
CVE-2024-7037 Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...
CVE-2024-7037
Open WebUI project (open-webui) v0.3.8 has a path traversal/Arbitrary File Write and Delete vulnerability in the /api/pipelines/upload endpoint caused by unsanitized file.filename concatenation with CACHE_DIR. This allows an attacker to overwrite or delete system files and could lead to remote co...
CVE-2024-7038
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...
CVE-2024-7038
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...
CVE-2024-7038 Information Disclosure in open-webui/open-webui
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...
CVE-2024-7038 Information Disclosure in open-webui/open-webui
An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...
CVE-2024-7038
CVE-2024-7038 describes an information disclosure in open-webui v0.3.8 where the embedding model update feature under admin settings reveals different error messages based on file existence/configuration. This enables an attacker to enumerate file names and traverse directories, exposing sensitiv...
Open WebUI 信息泄露漏洞
Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. An information disclosure vulnerability exists in Open WebUI version v0.3.8, which stems from the presence of an information disclosure vulnerability that allows an attacker to disclose sensiti...
PT-2024-38043 · Unknown · Open-Webui
Name of the Vulnerable Software and Affected Versions: open-webui version v0.3.8 Description: The issue is related to improper privilege management in the API endpoints "GET /api/v1/documents/" and "POST /rag/api/v1/doc". This allows a lower-privileged user to access and overwrite files managed b...
Open WebUI 安全漏洞
Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A security vulnerability exists in Open WebUI version v0.3.8 that stems from the presence of an insecure direct object reference IDOR vulnerability that allows an attacker to edit another user'...
Open WebUI 路径遍历漏洞
Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A path traversal vulnerability exists in Open WebUI version v0.3.8 that stems from vulnerability to arbitrary file write and delete attacks, allowing an attacker to overwrite and delete system...
PT-2024-38041
Name of the Vulnerable Software and Affected Versions open-webui/open-webui version v0.3.8 Description An Insecure Direct Object Reference IDOR vulnerability exists, occurring in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update. The decentralization design is flawed, allowing...
PT-2025-12199
Name of the Vulnerable Software and Affected Versions open-webui version 0.3.8 Description An endpoint for converting Markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of...
Open WebUI 0.1.105 File Upload / Path Traversal Vulnerabilities
Title: Open WebUI Arbitrary File Upload + Path Traversal Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-006.txt 1. Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-22:...
Open WebUI 0.1.105 File Upload / Path Traversal
KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal Title: Open WebUI Arbitrary File Upload + Path Traversal Advisory ID: KL-001-2024-006 Publication Date: 2024.08.D06 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-006.txt 1. Vulnerability Details Affected...
Open WebUI 0.1.105 Persistent Cross Site Scripting Vulnerability
Title: Open WebUI Stored Cross-Site Scripting Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt 1. Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-79: Improper...
Open WebUI 0.1.105 Persistent Cross Site Scripting
KL-001-2024-005: Open WebUI Stored Cross-Site Scripting Title: Open WebUI Stored Cross-Site Scripting Advisory ID: KL-001-2024-005 Publication Date: 2024.08.06 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt 1. Vulnerability Details Affected Vendor: Open WebUI...
CVE-2024-6707 Open WebUI Arbitrary File Upload + Path Traversal
Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability...