CVE-2024-6139
HIGH7.3EPSS 0.12%lollms vulnerable to dot-dot-slash path traversal in XTTS server
發布日:2024/6/27修改日:2024/6/28
描述
A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint.
受影響套件(1)
- PyPI/lollmsfrom 0, <= 9.5.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |