CVE-2024-2362 — Absolute Path Traversal in Lollms-webui

CWE-36 — Absolute Path Traversal CWE-22 — Path Traversal2 documents2 sources

Severity

9.1CRITICALNVD

EPSS

1.9%

top 16.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui Lollms WEB UI

Timeline

PublishedJun 6

Description

A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del_preset' endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences ('..'). As a result, an attacke…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — latest

▶NVDlollms/lollms_web_ui9.3

🔴Vulnerability Details

GHSA

GHSA-5wv7-58x2-44rh: A path traversal vulnerability exists in the parisneo/lollms-webui version 9↗2024-06-06

▶