Vulnerability DatabaseCVE-2024-1600
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-1600
April 10, 2024
A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the "/personalities" route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences ("../../") followed by the desired system file path, URL encoded. Successful exploitation allows the attacker to read any file on the filesystem accessible by the web server. This issue arises due to improper control of filename for include/require statement in the application.
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (2)
https://huntr.com/bounties/29ec621a-bd69-4225-ab0f-5bb8a1d10c67
https://github.com/parisneo/lollms-webui/commit/49b0332e98d42dd5204dda53dee410b160106265
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.2
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
LOW
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
NONE
Subsequent System Availability
LOW
CVSS v3
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
LOW
Weakness Type (CWE)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-98
EPSS
Base Score:
1.88