A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.
References
Link | Resource |
---|---|
https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620 | Patch |
https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a | Exploit Third Party Advisory |
Configurations
History
15 Nov 2024, 17:10
Type | Values Removed | Values Added |
---|---|---|
First Time |
Lollms
Lollms lollms |
|
References | () https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620 - Patch | |
References | () https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a - Exploit, Third Party Advisory | |
CPE | cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:* |
15 Oct 2024, 12:58
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
11 Oct 2024, 16:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-10-11 16:15
Updated : 2024-11-15 17:10
NVD link : CVE-2024-6985
Mitre link : CVE-2024-6985
CVE.ORG link : CVE-2024-6985
JSON object : View
Products Affected
lollms
- lollms
CWE
CWE-23
Relative Path Traversal