{"id":"CVE-2024-3322","details":"A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function within 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scripts/processor.py'. Specifically, the function fails to properly sanitize user-supplied input for the 'code_folder_path', allowing an attacker to specify arbitrary paths using '../' or absolute paths. This flaw leads to arbitrary file read and overwrite capabilities in specified directories without limitations, posing a significant risk of sensitive information disclosure and unauthorized file manipulation.","modified":"2026-04-10T05:12:36.861241Z","published":"2024-06-06T19:16:01.247Z","references":[{"type":"FIX","url":"https://github.com/parisneo/lollms-webui/commit/1e17df01e01d4d33599db2afaafe91d90b6f0189"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/e0822362-033a-4a71-b1dc-d803f03bd427"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/parisneo/lollms-webui","events":[{"introduced":"0"},{"fixed":"eaa0b2035034d2cefcc536eb7d17a765dae4a6b4"},{"fixed":"1e17df01e01d4d33599db2afaafe91d90b6f0189"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.5"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v3.0","v3.5","v4.0","v5.0","v6.0","v6.5","v6.5.0","v6.5rc2","v6.7","v7.0","v8.5","v9.0","v9.1","v9.2","v9.3","v9.4","v9.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3322.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}