CVE-2024-6985

Advisory

Affected versions of the lollms package are vulnerable to Path Traversal due to improper sanitization of the personality_folder parameter. The api open_personality_folder endpoint in the Lollms package fails to adequately validate or sanitize the personality_folder input, allowing directory traversal sequences to bypass the sanitize_path logic. An attacker can exploit this by crafting input that navigates out of the intended directory and reads arbitrary files on the host’s filesystem, potentially disclosing sensitive data located outside the designated personality folder.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a
• https://github.com/advisories/GHSA-6h64-g7cj-hj56
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6985