CVE-2024-2178
Last modified
CVE-2024-2178 is a vulnerability of currently unknown severity. A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name' parameters during the 'Copy to custom personas folder for editing' process. EPSS estimates a 0.60% chance of exploitation in the next 30 days.
Description
A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name' parameters during the 'Copy to custom personas folder for editing' process. By inserting '../' sequences in these parameters, attackers can traverse the directory structure and access files outside of the intended directory. Successful exploitation results in unauthorized access to sensitive information.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lollms | Lollms Web Ui | < 9.4 |
References
- https://huntr.com/bounties/e585f1dd-a026-4419-8f42-5835e85fad9eExploit, Issue Tracking, Patch, Third Party Advisory
- https://huntr.com/bounties/e585f1dd-a026-4419-8f42-5835e85fad9eExploit, Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-2178?
How severe is CVE-2024-2178?
How do I fix CVE-2024-2178?
Are you affected by CVE-2024-2178?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST