Cyber Resilience

CVE-2024-10047

MediumPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
08 July 2025
KEV Added
Patch
CVSS Score v3 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0123 79.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10047 is a medium-severity Absolute Path Traversal (CWE-36) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique File and Directory Discovery (T1083); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

The directory listing vulnerability in the /open_file endpoint enables arbitrary file and directory discovery (T1083) on the Windows host via crafted HTTP requests.

Affected Assets

lollms
lollms web ui
9.9

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References