CVE-2024-6985

A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.
Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*

History

15 Nov 2024, 17:10

Type Values Removed Values Added
First Time Lollms
Lollms lollms
References () https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620 - () https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620 - Patch
References () https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a - () https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a - Exploit, Third Party Advisory
CPE cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*

15 Oct 2024, 12:58

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de path traversal en el endpoint de la API open_personality_folder de parisneo/lollms-webui. Esta vulnerabilidad permite a un atacante leer cualquier carpeta en personality_folder en la computadora de la víctima, incluso aunque sanitize_path esté configurado. El problema surge debido a una desinfección incorrecta del parámetro personality_folder, que puede explotarse para recorrer directorios y acceder a archivos arbitrarios.

11 Oct 2024, 16:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-11 16:15

Updated : 2024-11-15 17:10


NVD link : CVE-2024-6985

Mitre link : CVE-2024-6985

CVE.ORG link : CVE-2024-6985


JSON object : View

Products Affected

lollms

  • lollms
CWE
CWE-23

Relative Path Traversal