Описание
A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.
Ссылки
- Patch
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 5.9.0 (исключая)
cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*
EPSS
Процентиль: 12%
0.00039
Низкий
4.4 Medium
CVSS3
4.4 Medium
CVSS3
Дефекты
CWE-23
Связанные уязвимости
CVSS3: 4.4
github
больше 1 года назад
Lord of Large Language Models (LoLLMs) path traversal vulnerability in the api open_personality_folder endpoint
EPSS
Процентиль: 12%
0.00039
Низкий
4.4 Medium
CVSS3
4.4 Medium
CVSS3
Дефекты
CWE-23