Wiz
Vulnerability DatabaseCVE-2024-6281

CVE-2024-6281
Python vulnerability analysis and mitigation

Overview

A path traversal vulnerability exists in the apply_settings function of parisneo/lollms versions prior to 9.5.1. The vulnerability was discovered and disclosed on July 20, 2024. The affected component is the sanitize_path function which fails to properly secure the discussion_db_name parameter (NVD).

Technical details

The vulnerability stems from inadequate path sanitization in the apply_settings function, specifically related to the discussion_db_name parameter. The CVSS 3.0 base score is 7.3 (HIGH) with the vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H, indicating local access is required but no privileges or user interaction are needed (NVD, Huntr).

Impact

The vulnerability allows attackers to manipulate the path and potentially write to important system folders, which could lead to unauthorized access to system resources and potential system compromise (NVD).

Mitigation and workarounds

The vulnerability has been fixed in version 9.5.1 of parisneo/lollms. Users should upgrade to this version or later to mitigate the vulnerability. The fix involves improved sanitization of the discussiondbname and user_avatar parameters (Github).

Additional resources

SourceThis report was generated using AI

Related Python vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-65896CRITICAL9.8
  • PythonPython
  • asyncmy
NoNoDec 02, 2025
CVE-2025-66423HIGH7.1
  • PythonPython
  • tryton-server
NoYesNov 30, 2025
CVE-2025-66454MEDIUM6.5
  • PythonPython
  • arcade-mcp-server
NoYesDec 02, 2025
CVE-2025-66424MEDIUM6.5
  • PythonPython
  • trytond
NoYesNov 30, 2025
CVE-2025-65858LOW3.5
  • PythonPython
  • calibreweb
NoNoDec 02, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo