CVE-2024-2362

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-2362
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-2362.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-2362
Published
2024-06-06T19:15:54Z
Modified
2025-01-08T09:48:04.234762Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'delpreset' endpoint, where the application fails to prevent the use of absolute paths or directory traversal sequences ('..'). As a result, an attacker can send a specially crafted request to the 'delpreset' endpoint to delete files outside of the intended directory.

References

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type
GIT
Repo
https://github.com/parisneo/lollms-webui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

v0.*

v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9

v3.*

v3.0
v3.5

v4.*

v4.0

v5.*

v5.0

v6.*

v6.0
v6.5
v6.5.0
v6.5rc2
v6.7

v7.*

v7.0

v8.*

v8.0
v8.5

v9.*

v9.0
v9.1
v9.2
v9.3