CVE-2024-6250
Last modified
CVE-2024-6250 is a vulnerability of currently unknown severity. An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. EPSS estimates a 1.96% chance of exploitation in the next 30 days.
Description
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lollms | Lollms Web Ui | 9.6 |
References
- https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73Exploit, Issue Tracking, Third Party Advisory
- https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73Exploit, Issue Tracking, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-6250?
How severe is CVE-2024-6250?
How do I fix CVE-2024-6250?
Are you affected by CVE-2024-6250?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST