CVE-2024-9597

Path Traversal in parisneo/lollms

CVSS 7.1 HIGHEPSS 0.3%CWE-22

Vexday Risk Score

21Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 7.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

20 mar 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the `key` parameter, which is used to construct file paths. An attacker can exploit this by sending a specially crafted HTTP request to delete arbitrary directories.

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Productos afectados

parisneo · parisneo/lollms

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://huntr.com/bounties/1f6c8908-d486-4141-be55-25bd29933d8b