HIGH 7.3

GHSA-w9qf-83jg-2x6c

lollms vulnerable to dot-dot-slash path traversal in XTTS server

상세

A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / lollms

최초 영향 버전: 0

No fixed version published yet for lollms (pip). Pin to a known-safe version or switch to an alternative.

참고

https://nvd.nist.gov/vuln/detail/CVE-2024-6139 [ADVISORY]
https://github.com/ParisNeo/lollms [PACKAGE]
https://huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0 [WEB]