Primary

Context

OpenBMB XAgent Path Traversal Vulnerability in the /conv/community API

Vulnerability

A critical path traversal vulnerability has been identified in OpenBMB XAgent versions through 1.0.0. The issue arises in the /conv/community API, where the application fails to properly authenticate permissions and validate input parameters. This oversight allows for manipulation that leads to unauthorized access to files or directories outside of the intended restricted paths.

Impact

Exploitation of this vulnerability allows for path traversal, where an attacker can access files and directories outside of the intended scope, potentially leading to unauthorized data exposure or manipulation.

Reproduction

To reproduce this vulnerability, first register a user account and then create an interaction. Afterward, call the /conv/community API, including a crafted interaction payload that exploits the path traversal vulnerability by manipulating the 'create_time' parameter to traverse directories.

Added: Jun 19, 2025, 10:17 PM

Updated: Jun 19, 2025, 10:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenBMB XAgent Path Traversal Vulnerability in the /conv/community API

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating