CVE-2024-10019

MEDIUM Year: 2024
CVSS v3 Score
6.3
Medium
Weakness Type
CWE-23
View all →

Vulnerability Description

A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.

Related Vulnerabilities

CVE-2020-8865

MEDIUM
CVSS:6.3(Medium)

This vulnerability allows remote attackers to execute local PHP files on affected installations of Horde Groupware Webmail Edition 5.2.22. Authentication is required to exploit this vulnerability. The...

CWE-232020

CVE-2018-13299

MEDIUM
CVSS:6.5(Medium)

Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename parameter.

CWE-232018

CVE-2019-11822

MEDIUM
CVSS:6.5(Medium)

Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto p...

CWE-232019

CVE-2019-18338

MEDIUM
CVSS:6.5(Medium)

A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The Control Center Server (CCS) contains a directory traversal vulnerability in its XML-based communication ...

CWE-232019

CVE-2019-19287

MEDIUM
CVSS:6.5(Medium)

A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow attackers to traverse through the file system of the server based by sending specially crafted packets ov...

CWE-232019

CVE-2020-5405

MEDIUM
CVSS:6.5(Medium)

Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to serve arbitrary configuration files through the spring-cloud-con...

CWE-232020