CVE-2024-4330Relative Path Traversal in WEB UI

CWE-23Relative Path TraversalCWE-99Resource Injection4 documents4 sources
Severity
3.3LOWNVD
EPSS
0.1%
top 68.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Lollms WEB UIParisneo Lollms-webui
Timeline
PublishedMay 30
Latest updateNov 7

Description

A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory structure and view the contents of any folder, albeit limited to subfolder names only. This issue was demonstrated via a specific HTTP request that manipulated the 'category' parameter to acce

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollms-webuiunspecifiedlatest
NVDlollms/lollms_web_ui9.69.8

Patches

Patch: huntr.comPatch: huntr.com

🔴Vulnerability Details

2
GHSA
path traversal vulnerability was identified in the parisneo/lollms-webui2024-06-02
OSV
path traversal vulnerability was identified in the parisneo/lollms-webui2024-06-02

📋Vendor Advisories

1
Red Hat
kernel: ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context2024-11-07