CVE-2024-6394
CVSS 3.0 Score 7.5 of 10 (high)
Details
Published Sep 30, 2024
CWE ID 29
Summary
CVE-2024-6394 is a Local File Inclusion vulnerability affecting parisneo/lollms-webui versions prior to v9.8. The issue lies in the `serve_js` function of `app.py`, where unverified path concatenation occurs. Attackers can exploit this vulnerability to perform path traversal attacks, potentially gaining unauthorized access to sensitive files. These files may include private SSH keys, configuration files, and source code, posing a significant risk to system security and confidentiality.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.