How severe is CVE-2024-1873?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.2 out of 10.

What type of vulnerability is CVE-2024-1873?

This is classified as CWE-749, which is a common weakness in software security.

CVE-2024-1873 - HIGH Severity | CVSS 8.2

Vulnerability Description

parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed `/select_database` endpoint in version a9d16b0. The endpoint improperly handles file paths, allowing attackers to specify absolute paths when interacting with the `DiscussionsDB` instance. This flaw enables attackers to create directories anywhere on the system where the application has permissions, potentially leading to denial of service by creating directories with names of critical files, such as HTTPS certificate files, causing server startup failures. Additionally, attackers can manipulate the database path, resulting in the loss of client data by constantly changing the file location to an attacker-controlled location, scattering the data across the filesystem and making recovery difficult.

Related Vulnerabilities

CVE-2016-9469

HIGH

CVSS:8.2(High)

Multiple versions of GitLab expose a dangerous method to any authenticated user that could lead to the deletion of all Issue and MergeRequest objects on a GitLab instance. For GitLab instances with pu...

CWE-7492016

CVE-2023-26478

HIGH

CVSS:8.1(High)

XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc...

CWE-7492023

CVE-2023-39214

HIGH

CVSS:8.1(High)

Exposure of sensitive information in Zoom Client SDK's before 5.15.5 may allow an authenticated user to enable a denial of service via network access.

CWE-7492023

CVE-2024-47005

HIGH

CVSS:8.1(High)

Sharp and Toshiba Tec MFPs provide configuration related APIs. They are expected to be called by administrative users only, but insufficiently restricted. A non-administrative user may execute some co...

CWE-7492024

CVE-2019-12948

HIGH

CVSS:8.3(High)

A vulnerability in the web-based management interface of VVX, Trio, SoundStructure, SoundPoint, and SoundStation phones running Polycom UC Software, if exploited, could allow an authenticated, remote ...

CWE-7492019

CVE-2024-12651

HIGH

CVSS:8.5(High)

Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables.This issue affects HGS Mobile App: before 6.5.0.

CWE-7492024