Medium

gpt_academic

LFI via URL-encoded Path Traversal in file Parameter

A Local File Inclusion (LFI) vulnerability was discovered in the latest version 3.83 of the software, allowing attackers to view arbitrary files on the host system through URL-encoded path traversal. The issue was reported privately and has not yet been patched.

Available publicly on Dec 30 2024

6.5

CVE:

CVE-2024-10100

CWE:

22:Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Credit:

ethansilvas
AssessDetect

Premium

Remediate
Remediation Steps
  1. Validate and sanitize the 'file' parameter to ensure it does not contain any path traversal sequences.
  2. Implement proper input validation to reject any requests with suspicious or malformed file paths.
  3. Update the software to the latest patched version once available.
  4. Regularly review and audit code for similar vulnerabilities.
  5. Consider using a whitelist approach to only allow access to specific, known-safe files.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.