2024-06-02 10:52:32
@huntr_ai
PUBLISHED
A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the copy_to_custom_personas endpoint in the lollms_personalities_infos.py file. This vulnerability allows attackers to read arbitrary files by manipulating the category and name parameters during the Copy to custom personas folder for editing process. By inserting ../ sequences in these parameters, attackers can traverse the directory structure and access files outside of the intended directory. Successful exploitation results in unauthorized access to sensitive information.