CVE-2024-6985

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-6985
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-6985.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-6985
Aliases
Published
2024-10-11T16:15:14Z
Modified
2024-11-15T20:57:11.339641Z
Severity
  • 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A path traversal vulnerability exists in the api openpersonalityfolder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personalityfolder on the victim's computer, even though sanitizepath is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.

References

Affected packages

Git / github.com/parisneo/lollms

Affected ranges

Type
GIT
Repo
https://github.com/parisneo/lollms
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v5.*

v5.9.0
v5.9.1