CVE-2024-6394

HIGH

parisneo/lollms-webui <9.8 - Path Traversal

Title source: llm

Description

A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code.

References (1)

[Exploit, Issue Tracking, Third Party Advisory] https://huntr.com/bounties/6df4f990-b632-4791-b3ea-f40c9ea905bf

Scores

CVSS v3 7.5

EPSS 0.0051

EPSS Percentile 66.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-29

Status published

Products (1)

lollms/lollms_web_ui 9.8

Published Sep 30, 2024

Tracked Since Feb 18, 2026