Applio Voice Conversion Tool Arbitrary File Removal Vulnerability

A vulnerability allowing arbitrary file removal has been identified in Applio, a voice conversion tool, in versions through 3.2.8-bugfix. The issue arises in 'core.py', where the 'output_tts_path' variable in 'tts.py' accepts arbitrary user input. This input is then passed to the 'run_tts_script' function in 'core.py', which checks if the specified path exists. If it does, the function removes the file, leading to unauthorized file deletion.

Impact

Exploitation of this vulnerability allows for arbitrary file removal on the server where Applio is running.

Reproduction

The vulnerability can be reproduced by uploading a file through the application's interface that accepts file uploads. Then, provide a path to that file in the 'output_tts_path' input of the 'tts' tab. The 'run_tts_script' function will remove the file if the path exists, demonstrating the arbitrary file removal flaw.