Lucene search
K

1213 matches found

Cvelist
Cvelist
added 2024/10/09 7:52 p.m.29 views

CVE-2024-7037 Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...

6.5CVSS0.01032EPSS
Exploits1References1
OSV
OSV
added 2024/10/09 7:52 p.m.5 views

CVE-2024-7037 Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...

6.5CVSS7AI score0.01032EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2024/10/09 7:52 p.m.16 views

CVE-2024-7037 Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui

In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHEDIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote cod...

6.5CVSS7.8AI score0.01032EPSS
Exploits1References1
CVE
CVE
added 2024/10/09 7:52 p.m.82 views

CVE-2024-7037

Open WebUI project (open-webui) v0.3.8 has a path traversal/Arbitrary File Write and Delete vulnerability in the /api/pipelines/upload endpoint caused by unsanitized file.filename concatenation with CACHE_DIR. This allows an attacker to overwrite or delete system files and could lead to remote co...

7.2CVSS7AI score0.01032EPSS
Exploits1References1Affected Software1
OSV
OSV
added 2024/10/09 7:15 p.m.5 views

CVE-2024-7038

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

2.7CVSS5.8AI score0.00336EPSS
Exploits1References1
NVD
NVD
added 2024/10/09 7:15 p.m.39 views

CVE-2024-7038

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

2.7CVSS0.00336EPSS
Exploits1References1
Cvelist
Cvelist
added 2024/10/09 6:26 p.m.43 views

CVE-2024-7038 Information Disclosure in open-webui/open-webui

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

2.7CVSS0.00336EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2024/10/09 6:26 p.m.15 views

CVE-2024-7038 Information Disclosure in open-webui/open-webui

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

2.7CVSS6.3AI score0.00336EPSS
Exploits1References1
CVE
CVE
added 2024/10/09 6:26 p.m.56 views

CVE-2024-7038

CVE-2024-7038 describes an information disclosure in open-webui v0.3.8 where the embedding model update feature under admin settings reveals different error messages based on file existence/configuration. This enables an attacker to enumerate file names and traverse directories, exposing sensitiv...

2.7CVSS3.2AI score0.00336EPSS
Exploits1References1Affected Software1
CNNVD
CNNVD
added 2024/10/09 12:0 a.m.6 views

Open WebUI 信息泄露漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. An information disclosure vulnerability exists in Open WebUI version v0.3.8, which stems from the presence of an information disclosure vulnerability that allows an attacker to disclose sensiti...

2.7CVSS3.5AI score0.00336EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2024/10/09 12:0 a.m.9 views

PT-2024-38043 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui version v0.3.8 Description: The issue is related to improper privilege management in the API endpoints "GET /api/v1/documents/" and "POST /rag/api/v1/doc". This allows a lower-privileged user to access and overwrite files managed b...

6.3CVSS6.2AI score0.00362EPSS
Exploits1References8
CNNVD
CNNVD
added 2024/10/09 12:0 a.m.5 views

Open WebUI 安全漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A security vulnerability exists in Open WebUI version v0.3.8 that stems from the presence of an insecure direct object reference IDOR vulnerability that allows an attacker to edit another user'...

6.5CVSS6.4AI score0.00357EPSS
Exploits1References2
CNNVD
CNNVD
added 2024/10/09 12:0 a.m.7 views

Open WebUI 路径遍历漏洞

Open WebUI is an extensible, feature-rich, user-friendly self-hosted WebUI from Open WebUI open source. A path traversal vulnerability exists in Open WebUI version v0.3.8 that stems from vulnerability to arbitrary file write and delete attacks, allowing an attacker to overwrite and delete system...

7.2CVSS7.1AI score0.01032EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2024/10/09 12:0 a.m.5 views

PT-2024-38041

Name of the Vulnerable Software and Affected Versions open-webui/open-webui version v0.3.8 Description An Insecure Direct Object Reference IDOR vulnerability exists, occurring in the API endpoint http://0.0.0.0:3000/api/v1/memories/id/update. The decentralization design is flawed, allowing...

6.5CVSS6.6AI score0.00357EPSS
Exploits1References12
Positive Technologies
Positive Technologies
added 2024/10/04 12:0 a.m.7 views

PT-2025-12199

Name of the Vulnerable Software and Affected Versions open-webui version 0.3.8 Description An endpoint for converting Markdown to HTML is exposed without authentication. A maliciously crafted markdown payload can cause the server to spend excessive time converting it, leading to a denial of...

7.5CVSS7.1AI score0.00811EPSS
Exploits1References24
0day.today
0day.today
added 2024/08/08 12:0 a.m.338 views

Open WebUI 0.1.105 File Upload / Path Traversal Vulnerabilities

Title: Open WebUI Arbitrary File Upload + Path Traversal Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-006.txt 1. Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-22:...

8.8CVSS8.8AI score0.01003EPSS
Exploits3
Packet Storm
Packet Storm
added 2024/08/08 12:0 a.m.640 views

Open WebUI 0.1.105 File Upload / Path Traversal

KL-001-2024-006: Open WebUI Arbitrary File Upload + Path Traversal Title: Open WebUI Arbitrary File Upload + Path Traversal Advisory ID: KL-001-2024-006 Publication Date: 2024.08.D06 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-006.txt 1. Vulnerability Details Affected...

8.8CVSS7.1AI score0.01003EPSS
Exploits3
0day.today
0day.today
added 2024/08/08 12:0 a.m.213 views

Open WebUI 0.1.105 Persistent Cross Site Scripting Vulnerability

Title: Open WebUI Stored Cross-Site Scripting Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt 1. Vulnerability Details Affected Vendor: Open WebUI Affected Product: Open WebUI Affected Version: 0.1.105 Platform: Debian 12 CWE Classification: CWE-79: Improper...

6.1CVSS7AI score0.0062EPSS
Exploits3
Packet Storm
Packet Storm
added 2024/08/08 12:0 a.m.583 views

Open WebUI 0.1.105 Persistent Cross Site Scripting

KL-001-2024-005: Open WebUI Stored Cross-Site Scripting Title: Open WebUI Stored Cross-Site Scripting Advisory ID: KL-001-2024-005 Publication Date: 2024.08.06 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2024-005.txt 1. Vulnerability Details Affected Vendor: Open WebUI...

6.3CVSS7.1AI score0.0062EPSS
Exploits3
Vulnrichment
Vulnrichment
added 2024/08/07 11:4 p.m.37 views

CVE-2024-6707 Open WebUI Arbitrary File Upload + Path Traversal

Attacker controlled files can be uploaded to arbitrary locations on the web server's filesystem by abusing a path traversal vulnerability...

7AI score0.01003EPSS
Exploits3References1
Rows per page
Query Builder