ГлавнаяУязвимости → CVE-2024-6250
7.5высокая

CVE-2024-6250

Описание

An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.

Затрагиваемое ПО
Lollms Lollms web ui
CVSS
Балл7.5 — высокая
ВекторCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Источники
https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73