FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-1600

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') (CWE-98)

Published: Apr 10, 2024 / Updated: 7mo ago

010
No CVSS yetEPSS 0.04%
CVE info copied to clipboard

A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attacker to read any file on the filesystem accessible by the web server. This issue arises due to improper control of filename for include/require statement in the application.

Timeline

CVE Assignment

NVD published the first details for CVE-2024-1600

Apr 10, 2024 at 5:15 PM
First Article

Feedly found the first article mentioning CVE-2024-1600. See article

Apr 10, 2024 at 5:24 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Apr 10, 2024 at 5:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 7.9%)

Apr 11, 2024 at 9:53 AM
Static CVE Timeline Graph

Attack Patterns

CAPEC-193: PHP Remote File Inclusion
+null more

News

Update Sun Sep 8 14:33:03 UTC 2024
Recent Commits to cve:main / 2mo
Update Sun Sep 8 14:33:03 UTC 2024
michenriksen starred timothee-chauvin/eyeballvul
GitHub Public Timeline Feed / 4mo
eyeballvul is an open-source benchmark designed to enable the evaluation of SAST vulnerability detection tools, especially ones based on language models. While most benchmarks eventually make it into the training data of language models, eyeballvul is designed to be future-proof: it is updated weekly from the stream of CVEs in open-source repositories.
eyeballvul added to PyPI
PyPI newest packages / 6mo
eyeballvul is an open-source benchmark designed to enable the evaluation of SAST vulnerability detection tools, especially ones based on language models, designed to be future-proof. compare the results of the SAST tool with the list of known vulnerabilities for each commit, especially the ones that were published after the training data cutoff.
Multiple flaws found in AI systems, at least 16 critical
BeyondMachines / 7mo
Take action: If you are using anything-llm, zenml, pytorch/serve, bentoml, llama_index, qdrant, lollms-webui, localai, mlflow and lunary, review the list and plan to patch or update. The critical issues in the latest report include issues with anything-llm, zenml, pytorch/serve, bentoml, llama_index, qdrant, lollms-webui, localai, mlflow and lunary:
48 Vulnerabilities Uncovered In AI systems : Surge By 220%
Cyber Security News / 7mo
An attacker can use this vulnerability to run arbitrary code to compromise the server hosting PyTorch Serve. This vulnerability allows remote attackers to execute arbitrary code on the server.
See 5 more articles and social media posts

CVSS V3.1

Unknown

Categories

CWE-98(62)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial