CVE-2024-6394: Local File Inclusion in parisneo/lollms-webui
First published: Mon Sep 30 2024(Updated: )
A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code.
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| parisneo lollms | <9.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-6394?
CVE-2024-6394 has been classified with a medium severity rating due to its potential impact on unauthorized file access.
How do I fix CVE-2024-6394?
To remediate CVE-2024-6394, upgrade parisneo/lollms-webui to version 9.8 or higher.
What types of attacks are possible with CVE-2024-6394?
CVE-2024-6394 can be exploited through path traversal attacks, allowing unauthorized access to local files.
Which versions of lollms-webui are affected by CVE-2024-6394?
All versions of lollms-webui below version 9.8 are affected by CVE-2024-6394.
Who can exploit CVE-2024-6394?
Any attacker with the ability to send requests to the vulnerable lollms-webui server can exploit CVE-2024-6394.
- agent/weakness
- agent/title
- agent/references
- agent/description
- agent/type
- agent/first-publish-date
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/parisneo
- canonical/parisneo lollms