We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-3322

Path Traversal in parisneo/lollms-webui



Description

A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function within 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scripts/processor.py'. Specifically, the function fails to properly sanitize user-supplied input for the 'code_folder_path', allowing an attacker to specify arbitrary paths using '../' or absolute paths. This flaw leads to arbitrary file read and overwrite capabilities in specified directories without limitations, posing a significant risk of sensitive information disclosure and unauthorized file manipulation.

Reserved 2024-04-04 | Published 2024-06-06 | Updated 2024-08-01 | Assigner @huntr_ai


HIGH: 8.4CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Any version before 9.5
affected

References

huntr.com/bounties/e0822362-033a-4a71-b1dc-d803f03bd427

github.com/...ommit/1e17df01e01d4d33599db2afaafe91d90b6f0189

cve.org (CVE-2024-3322)

nvd.nist.gov (CVE-2024-3322)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2024-3322

Support options

Helpdesk Chat, Email, Knowledgebase