Products
parisneo/lollms-webui
- 9.6 - latest
Source
security@huntr.dev
Tags
CVE-2024-4841 details
Last Modified : June 23, 2024, 3:15 p.m.
Description
A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint.
CVSS Score
1 | 2 | 3 | 4.0 | 5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-29 | Path Traversal: '\..\filename' | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '\..\filename' (leading backslash dot dot) sequences that can resolve to a location that is outside of that directory. |
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
Base Score
4.0
Exploitability Score
2.5
Impact Score
1.4
Base Severity
MEDIUM
Vector String : CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
URL | Source |
---|---|
https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602 | security@huntr.dev |