cbcvebase.
CVE-2024-6250
published 2024-06-27

CVE-2024-6250: An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The…

PriorityP179high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.96%
77.8th percentile
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.

Affected

2 ranges
VendorProductVersion rangeFixed in
lollmslollms_web_ui
parisneoparisneo_lollms-webuiunspecified – latest

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /open_file HTTP/1.1
urlPOST /api/open_file HTTP/1.1
pathC:/Windows/win.ini
pathlollms_advanced.py
sigma
detection: keywords: - 'bit app support' AND '[fonts]' AND '[extensions]' in HTTP response body with status 200 and content-type text/plain to /open_file or /api/open_file
  • Monitor for POST requests to /open_file or /api/open_file endpoints containing absolute Windows paths (e.g., C:/) in the JSON body parameter 'path'.
  • Successful exploitation returns HTTP 200 with content-type text/plain and a response body containing 'bit app support', '[fonts]', and '[extensions]' — characteristic strings from Windows win.ini.
  • The vulnerability is triggered when the sanitize_path function is called with allow_absolute_path=True in lollms_advanced.py, permitting arbitrary absolute path access on Windows.
  • ·The vulnerability is Windows-specific; the absolute path traversal using drive-letter paths (e.g., C:/) only applies to Windows deployments of lollms-webui.
  • ·The Nuclei template uses stop-at-first-match across two endpoints (/open_file and /api/open_file), meaning only one request may be sent per scan; ensure both endpoints are tested independently in custom detection pipelines.
  • ·The Nuclei template is marked as unverified (verified: false), so false positive/negative rates are unknown.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.