Home > Vulnerability Database > CVE-2024-4330

Mend.io Vulnerability Database

CVE-2024-4330

Date: May 30, 2024

A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory structure and view the contents of any folder, albeit limited to subfolder names only. This issue was demonstrated via a specific HTTP request that manipulated the 'category' parameter to access arbitrary directories. The vulnerability is present in the code located at the 'endpoints/lollms_advanced.py' file.

Language: Python

Severity Score

4.0

Related Resources (5)

Url: https://github.com/ParisNeo/lollms

Url: https://huntr.com/bounties/154a78d5-3960-4fc6-8666-f982b5e70ed7

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-4330

Url: https://github.com/ParisNeo/lollms/commit/0e52d59a06b7f05e3b2611ce7b053fafa44143a9

Url: https://www.mend.io/vulnerability-database/CVE-2024-4330

Severity Score

4.0

Weakness Type (CWE)

Relative Path Traversal

CWE-23

CVSS v3.1

Base Score:	4.0
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-4330

Date: May 30, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?