logo
Vulnerability feed
CONTRIBUTE

Vulnerability

warn

CVE-2024-2548

Reference to the description:

https://nvd.nist.gov/vuln/detail/CVE-2024-2548

Description:
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_binding_files_server.py` and `lollms_core/lollms/security.py` files. Due to inadequate validation of file paths between Windows and Linux environments using `Path(path).is_absolute()`, attackers can exploit this flaw to read any file on the system. This issue affects the latest version of LoLLMs running on the Windows platform. The vulnerability is triggered when an attacker sends a specially crafted request to the `/user_infos/{path:path}` endpoint, allowing the reading of arbitrary files, as demonstrated with the `win.ini` file. The issue has been addressed in version 9.5 of the software.
Last updated date:
10/17/2024
Type:
exploit
Confidence:
HIGH
Date of publishing:
10/17/2024
Reference url to background

https://huntr.com/bounties/65979513-db0d-46fd-9977-fcd73bcd8a41

Vulnerability FeedContributorsAboutBlog

@inTheWild

©2024

Privacy Policy