cbcvebase.
CVE-2024-4330
published 2024-05-30

CVE-2024-4330: A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to…

PriorityP415low3.3CVSS 3.1
AVLACLPRLUINSUCLINAN
EPSS
0.29%
20.2th percentile
A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory structure and view the contents of any folder, albeit limited to subfolder names only. This issue was demonstrated via a specific HTTP request that manipulated the 'category' parameter to access arbitrary directories. The vulnerability is present in the code located at the 'endpoints/lollms_advanced.py' file.

Affected

2 ranges
VendorProductVersion rangeFixed in
lollmslollms_web_ui>= 9.6 < 9.89.8
parisneoparisneo_lollms-webuiunspecified – latest

CVSS provenance

nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv3.04.0MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.