An arbitrary file download vulnerability exists in the rpc_agent_client component of modelscope/agentscope version v0.0.4. This vulnerability allows any user to download any file from the rpc_agent's host by exploiting the download_file method. This can lead to unauthorized access to sensitive information, including configuration files, credentials, and potentially system files, which may facilitate further exploitation such as privilege escalation or lateral movement within the network.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HModelscope Agentscope
APPModelscope0.0.4
Related vulnerabilities
Path traversal umożliwiający usunięcie dowolnych plików w AgentScope
Path traversal w AgentScope umożliwia odczyt i zapis plików JSON
Błędna konfiguracja CORS w Modelscope AgentScope umożliwia nieautoryzowany dostęp do API
RCE przez niezabezpieczone eval() w Modelscope AgentScope
A directory traversal vulnerability exists in modelscope/agentscope version 0.0.4. An attacker can exploit thi...