CVE-2024-4322 — Path Traversal: '\..\filename' in WEB UI

CWE-29 — Path Traversal: '\..\filename'2 documents2 sources

Severity

7.5HIGHNVD

EPSS

9.8%

top 7.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lollms WEB UI Parisneo Lollms-webui

Timeline

PublishedMay 16

Description

A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint. By manipulating the `category` parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version of the application. The vulnerability is due to improper handling of user-supplied input in the `list_personalities` function, where the `category` parameter can be controlled to specify arbitrary …

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — latest

▶NVDlollms/lollms_web_ui< 9.8

Patches

Patch: huntr.com ↗Patch: huntr.com ↗

🔴Vulnerability Details

GHSA

GHSA-482r-2hv2-p3x7: A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint↗2024-05-16

▶