CVE-2024-6394

HIGH

parisneo/lollms-webui <9.8 - Path Traversal

Title source: llm

Description

A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code.

References (1)

[Exploit, Issue Tracking, Third Party Advisory] https://huntr.com/bounties/6df4f990-b632-4791-b3ea-f40c9ea905bf

Scores

CVSS v3 7.5

EPSS 0.0051

EPSS Percentile 66.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-29

Status published

Affected Products (1)

lollms/lollms_web_ui

Timeline

Published Sep 30, 2024

Tracked Since Feb 18, 2026