Products
UNKNOWN
Source
security@huntr.dev
Tags
CVE-2024-6281 details
Published : July 20, 2024, 4:15 a.m.
Last Modified : July 20, 2024, 4:15 a.m.
Last Modified : July 20, 2024, 4:15 a.m.
Description
A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7.3 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-440 | Expected Behavior Violation | A feature, API, or function does not perform according to its specification. |
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
HIGH
Base Score
7.3
Exploitability Score
2.5
Impact Score
4.7
Base Severity
HIGH
Vector String : CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
References
| URL | Source |
|---|---|
| https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092 | security@huntr.dev |
| https://huntr.com/bounties/0a62f2fb-4e62-4128-9dc4-e8f1d959ac61 | security@huntr.dev |
This website uses the NVD API, but is not approved or certified by it.