CVE-2024-6985 MEDIUM

CVE-2024-6985: Path Traversal in api open_personality_folder in parisneo/lollms-webui

Vendor Parisneo
Product parisneo/lollms
Weakness CWE-23
Published October 11, 2024
Last update October 11, 2024

CVSS base score

4.4/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.

Key dates

02Disclosure timeline

October 11, 2024 CVE published
October 11, 2024 Record updated