Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
SillyTavern: Path traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root
Vulnerability Description
SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to version 1.17.0, a path traversal vulnerability in chat endpoints allows an authenticated attacker to read and delete arbitrary files under their user data root (for example secrets.json and settings.json) by supplying avatar_url="..". This issue has been patched in version 1.17.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
SillyTavern 路径遍历漏洞
Vulnerability Description
SillyTavern是SillyTavern开源的一个大语言模型的前端界面。 SillyTavern 1.17.0之前版本存在路径遍历漏洞,该漏洞源于聊天端点存在路径遍历,可能导致经过身份验证的攻击者读取和删除其用户数据根目录下的任意文件。
CVSS Information
N/A
Vulnerability Type
N/A