How severe is CVE-2024-2360?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2024-2360?

This is classified as CWE-29, which is a common weakness in software security.

CVE-2024-2360 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these settings to execute arbitrary code on the targeted server. The issue affects the latest version of the software. The vulnerability stems from the application's handling of the 'discussion_db_name' and 'pdf_latex_path' parameters, which do not properly validate file paths, allowing for directory traversal. This vulnerability can also lead to further file exposure and other attack vectors by manipulating the 'discussion_db_name' parameter.

Related Vulnerabilities

CVE-2023-1177

CRITICAL

CVSS:9.8(Critical)

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.

CWE-292023

CVE-2023-2780

CRITICAL

CVSS:9.8(Critical)

Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1.

CWE-292023

CVE-2023-6975

CRITICAL

CVSS:9.8(Critical)

A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

CWE-292023

CVE-2024-2358

CRITICAL

CVSS:9.8(Critical)

A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-...

CWE-292024

CVE-2024-3429

CRITICAL

CVSS:9.8(Critical)

A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\lollms\security.py`. This ...

CWE-292024

CVE-2024-4320

CRITICAL

CVSS:9.8(Critical)

A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route han...

CWE-292024