CVE-2024-4322

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-4322

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4322.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-4322

Published

2024-05-16T09:15:16.613Z

Modified

2026-04-10T05:16:17.797753Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the /list_personalities endpoint. By manipulating the category parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version of the application. The vulnerability is due to improper handling of user-supplied input in the list_personalities function, where the category parameter can be controlled to specify arbitrary directories for listing. Successful exploitation of this vulnerability could allow an attacker to list all folders in the drive on the system, potentially leading to information disclosure.

References

https://huntr.com/bounties/5116d858-ce00-418c-a5a5-851c5608c209

Affected packages

Git / github.com/parisneo/lollms-webui

Affected ranges

Type

GIT

Repo

https://github.com/parisneo/lollms-webui

Events

Introduced

Fixed

8a8e3a1c386321f641a014bf8f7029512ccad411

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.8"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.0.9

v3.*

v3.0

v3.5

v4.*

v4.0

v5.*

v5.0

v6.*

v6.0

v6.5

v6.5.0

v6.5rc2

v6.7

v7.*

v7.0

v8.*

v8.5

v9.*

v9.0

v9.1

v9.2

v9.3

v9.4

v9.5

v9.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4322.json"