Description

An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.

INFO

Published Date :

2024-06-27T18:41:41.259Z

Last Modified :

2024-08-01T21:33:05.318Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-6250 vulnerability.

Vendors Products
Lollms
  • Lollms Web Ui
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-6250.

URL Resource
https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact