CVE-2024-1600PHP Remote File Inclusion in Lollms-webui

CWE-98PHP Remote File InclusionCWE-1300Improper Protection of Physical Side Channels3 documents3 sources
Severity
9.3CRITICALNVD
EPSS
1.9%
top 16.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo Lollms-webuiLollms WEB UI
Timeline
PublishedApr 10

Description

A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attacker to read any file on the filesystem accessible by the web server. This issue arises due to improper control of filename for include/require statem

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:LExploitability: 3.9 | Impact: 4.7

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollms-webuiunspecified9.5
NVDlollms/lollms_web_ui9.09.6

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
GHSA
GHSA-24m8-r3wq-c97x: A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route2024-04-10

📋Vendor Advisories

1
Red Hat
kernel: arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD2024-04-02