Executive Summary

Informations
Name CVE-2024-1873 First vendor Publication 2024-06-06
Vendor Cve Last vendor Modification 2024-10-15

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Overall CVSS Score 9.1
Base Score 9.1 Environmental Score 9.1
impact SubScore 5.2 Temporal Score 9.1
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact None
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed `/select_database` endpoint in version a9d16b0. The endpoint improperly handles file paths, allowing attackers to specify absolute paths when interacting with the `DiscussionsDB` instance. This flaw enables attackers to create directories anywhere on the system where the application has permissions, potentially leading to denial of service by creating directories with names of critical files, such as HTTPS certificate files, causing server startup failures. Additionally, attackers can manipulate the database path, resulting in the loss of client data by constantly changing the file location to an attacker-controlled location, scattering the data across the filesystem and making recovery difficult.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-1873

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

https://huntr.com/bounties/c1cfc0d9-517a-4d0e-bf1c-6444c1fd195d
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2024-10-16 00:27:44
  • Multiple Updates
2024-06-07 21:27:24
  • Multiple Updates
2024-06-07 00:27:26
  • First insertion