Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
prompts.chat Path Traversal via Skill File Handling
Vulnerability Description
prompts.chat prior to commit 0f8d4c3 contains a path traversal vulnerability in skill file handling that allows attackers to write arbitrary files to the client system by crafting malicious ZIP archives with unsanitized filenames containing path traversal sequences. Attackers can exploit missing server-side filename validation to inject path traversal sequences ../ into skill file archives, which when extracted by vulnerable tools write files outside the intended directory and overwrite shell initialization files to achieve code execution.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
prompts.chat 路径遍历漏洞
Vulnerability Description
prompts.chat是Fatih Kadir Akın个人开发者的一个开源AI提示词库。 prompts.chat 0f8d4c3之前版本存在路径遍历漏洞,该漏洞源于技能文件处理中存在路径遍历,攻击者可通过特制包含路径遍历序列的恶意ZIP归档文件向客户端系统写入任意文件,可能导致代码执行。
CVSS Information
N/A
Vulnerability Type
N/A