Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05Y2htLW02eDItNmZ2Y84AA9Zw

lollms vulnerable to path traversal due to unauthenticated root folder settings change

A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to '/'. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system.

Permalink: https://github.com/advisories/GHSA-9chm-m6x2-6fvc
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Y2htLW02eDItNmZ2Y84AA9Zw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 6 months ago
Updated: 6 months ago


CVSS Score: 8.6
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

EPSS Percentage: 0.00044
EPSS Percentile: 0.1207

Identifiers: GHSA-9chm-m6x2-6fvc, CVE-2024-6085
References: Blast Radius: 5.2

Affected Packages

pypi:lollms
Dependent packages: 0
Dependent repositories: 4
Downloads: 4,797 last month
Affected Version Ranges: <= 9.5.1
No known fixed version
All affected versions: 1.0.2, 1.0.3, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.5, 1.1.6, 1.1.7, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15, 1.1.16, 1.1.17, 1.1.18, 1.1.19, 1.1.20, 1.1.21, 1.1.22, 1.1.25, 1.1.26, 1.1.27, 1.1.28, 1.1.29, 1.1.30, 1.1.31, 1.1.32, 1.1.33, 1.1.34, 1.1.35, 1.1.36, 1.1.37, 1.1.38, 1.1.40, 1.1.45, 1.1.46, 1.1.47, 1.1.48, 1.1.49, 1.1.50, 1.1.51, 1.1.52, 1.1.53, 1.1.55, 1.1.56, 1.1.57, 1.1.58, 1.1.59, 1.1.60, 1.1.61, 1.1.62, 1.1.63, 1.1.64, 1.1.65, 1.1.66, 1.1.67, 1.1.68, 1.1.69, 1.1.70, 1.1.71, 1.1.73, 1.1.74, 1.1.75, 1.1.76, 1.1.77, 1.1.78, 1.1.79, 1.1.80, 1.1.82, 1.1.83, 1.1.84, 1.1.85, 1.1.86, 1.1.90, 1.1.91, 1.1.92, 1.2.0, 1.2.1, 1.2.3, 1.2.4, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.2.14, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.0.13, 2.0.14, 2.0.15, 2.0.16, 2.0.17, 2.0.18, 2.0.19, 2.0.20, 2.0.21, 2.0.22, 2.0.23, 2.0.24, 2.0.25, 2.0.26, 2.0.27, 2.0.28, 2.0.30, 2.0.31, 2.0.32, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.1.21, 2.1.22, 2.1.23, 2.1.24, 2.1.25, 2.1.26, 2.1.27, 2.1.28, 2.1.29, 2.1.30, 2.1.31, 2.1.32, 2.1.34, 2.1.35, 2.1.36, 2.1.37, 2.1.38, 2.1.39, 2.1.40, 2.1.42, 2.1.43, 2.1.44, 2.1.45, 2.1.46, 2.1.47, 2.1.48, 2.1.49, 2.1.50, 2.1.51, 2.1.53, 2.1.54, 2.1.55, 2.1.56, 2.1.59, 2.1.60, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.3.0, 2.3.1, 2.3.3, 2.3.4, 3.0.0, 3.1.0, 3.1.5, 3.2.0, 4.0.0, 4.0.1, 4.0.2, 4.1.0, 4.1.5, 4.1.6, 4.2.0, 4.2.1, 4.2.2, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 5.0.0, 5.0.1, 5.0.2, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.3.0, 5.3.1, 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.5.4, 5.5.5, 5.5.6, 5.6.0, 5.6.2, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.9, 5.8.0, 5.8.1, 5.8.2, 5.8.3, 5.8.5, 5.8.6, 5.8.7, 5.8.8, 5.9.0, 5.9.1, 5.9.2, 5.9.3, 5.9.4, 5.9.5, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.1.1, 6.2.0, 6.4.0, 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.7.0, 6.9.0, 7.2.0, 9.3.0, 9.5.0, 9.5.1