CVE-2024-4841

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint.

CVSS v3 4.0 MEDIUM

4.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector : AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability : 2.5 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602

Configurations

No configuration.

History

24 Jun 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de Path Traversal en parisneo/lollms-webui, específicamente dentro de la función 'add_reference_to_local_mode' debido a la falta de sanitización de entrada. Esta vulnerabilidad afecta a las versiones v9.6 hasta la última. Al explotar esta vulnerabilidad, un atacante puede predecir las carpetas, subcarpetas y archivos presentes en la computadora de la víctima. La vulnerabilidad está presente en la forma en que la aplicación maneja el parámetro 'ruta' en las solicitudes HTTP al endpoint '/add_reference_to_local_model'.

23 Jun 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-23 15:15

Updated : 2024-06-24 12:57

NVD link : CVE-2024-4841

Mitre link : CVE-2024-4841

CVE.ORG link : CVE-2024-4841

JSON object : View

Products Affected

No product.

CWE

CWE-29

Path Traversal: '\..\filename'

4.0 /10