CVE-2024-6394

HIGH Year: 2024
CVSS v3 Score
7.5
High
Weakness Type
CWE-29
View all →

Vulnerability Description

A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive information such as private SSH keys, configuration files, and source code.

Related Vulnerabilities

CVE-2023-6021

HIGH
CVSS:7.5(High)

LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.any...

CWE-292023

CVE-2023-6130

HIGH
CVSS:7.5(High)

Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

CWE-292023

CVE-2023-6909

HIGH
CVSS:7.5(High)

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2.

CWE-292023

CVE-2024-1561

HIGH
CVSS:7.5(High)

An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifica...

CWE-292024

CVE-2024-2178

HIGH
CVSS:7.5(High)

A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows at...

CWE-292024

CVE-2024-2928

HIGH
CVSS:7.5(High)

A Local File Inclusion (LFI) vulnerability was identified in mlflow/mlflow, specifically in version 2.9.2, which was fixed in version 2.11.3. This vulnerability arises from the application's failure t...

CWE-292024