Phv2312

Name of the Vulnerable Software and Affected Versions: kotaemon versions 0.10.6 and prior Description: The issue concerns an open-source RAG-based tool for document comprehension. In the affected versions, the `index fn` method in `libs/ktem/ktem/index/file/ui.py` accepts both URLs and local file paths without validation, allowing attackers to traverse directories and exfiltrate sensitive files. For example, an attacker could use `../../../../../.env` to access sensitive information. Recommendations: For versions 0.10.6 and prior, update to version 0.10.7 or later, which includes the patch for this issue via commit 37cdc28. As a temporary workaround, consider disabling the `index fn` method in `libs/ktem/ktem/index/file/ui.py` until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation.