CVE-2024-6394

Path Traversal: '\..\filename' (CWE-29)

Published: Sep 30, 2024 / Updated: 50d ago

010
No CVSS yetEPSS 0.04%
CVE info copied to clipboard

A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code.

Timeline

CVE Assignment

NVD published the first details for CVE-2024-6394

Sep 30, 2024 at 8:15 AM
First Article

Feedly found the first article mentioning CVE-2024-6394. See article

Sep 30, 2024 at 8:17 AM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Sep 30, 2024 at 8:18 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.6%)

Oct 1, 2024 at 11:01 AM
Static CVE Timeline Graph

Affected Systems

Apache
+null more

News

CVE Alert: CVE-2024-6394 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-6394/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_6394
CVE-2024-6394
Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
NA - CVE-2024-6394 - A Local File Inclusion vulnerability exists in...
A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which...
Unauthorized Access to Arbitrary Files on Server via Path Traversal
Parisneo - HIGH - CVE-2024-6394 A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code.
CVE-2024-6394 | parisneo lollms-webui up to 9.7 Configuration File app.py serve_js path traversal
A vulnerability classified as problematic has been found in parisneo lollms-webui up to 9.7 . Affected is the function serve_js of the file app.py of the component Configuration File Handler . The manipulation leads to path traversal: '\..\filename'. This vulnerability is traded as CVE-2024-6394 . It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
See 4 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI