CVE-2024-2178

Description

A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the copy_to_custom_personas endpoint in the lollms_personalities_infos.py file. This vulnerability allows attackers to read arbitrary files by manipulating the category and name parameters during the Copy to custom personas folder for editing process. By inserting ../ sequences in these parameters, attackers can traverse the directory structure and access files outside of the intended directory. Successful exploitation results in unauthorized access to sensitive information.