CVE-2024-4841

Path Traversal: '\..\filename' (CWE-29)

Published: Jun 23, 2024 / Updated: 4mo ago

010
No CVSS yetEPSS 0.04%
CVE info copied to clipboard

Summary

A Path Traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the 'add_reference_to_local_mode' function due to lack of input sanitization. By exploiting this vulnerability, an attacker can predict folders, subfolders, and files present on the victim's system. The vulnerability affects versions v9.6 to the latest.

Impact

An attacker exploiting this vulnerability could potentially access sensitive data and files on the victim's system that they should not have access to. This could lead to data breaches, privilege escalation, and further compromise of the system.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

The vulnerability appears to be unpatched as it affects versions v9.6 to the latest release of the parisneo/lollms-webui application.

Mitigation

Apply the latest software updates and patches from the vendor as soon as they become available. As an interim mitigation, restrict access to the '/add_reference_to_local_model' endpoint and properly sanitize the 'path' parameter in HTTP requests until an official patch is released.

Timeline

CVE Assignment

NVD published the first details for CVE-2024-4841

Jun 23, 2024 at 3:15 PM
First Article

Feedly found the first article mentioning CVE-2024-4841. See article

Jun 23, 2024 at 3:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Jun 23, 2024 at 3:21 PM
Trending

This CVE started to trend in security discussions

Jun 23, 2024 at 5:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.1%)

Jun 24, 2024 at 10:06 AM
Trending

This CVE stopped trending in security discussions

Jun 26, 2024 at 3:13 PM
Static CVE Timeline Graph

News

CVE-2024-4841
A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the CVE-2024-4841 originally published on CyberSecurityBoard
CVE-2024-4841 - Exploits & Severity - Feedly
A Path Traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the 'add_reference_to_local_mode' function due to lack of input sanitization. An attacker exploiting this vulnerability could potentially access sensitive data and files on the victim's system that they should not have access to.
NA - CVE-2024-4841 - A Path Traversal vulnerability exists in the...
A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This...
CVE-2024-4841
Gravedad 3.1 (CVSS 3.1 Base Score) A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization.
CVE-2024-4841
Medium Severity Description A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint. Read more at https://www.tenable.com/cve/CVE-2024-4841
See 6 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI