CVE-2024-2083 Directory Traversal in zenml-io/zenml

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The...

CVE-2024-2083

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically in the /api/v1/steps endpoint. Exploitation opportunities arise by manipulating the logs URI path, bypassing access restrictions due to lack of validation for directory traversal patterns. The issue is descr...

CVE-2024-2083 Directory Traversal in zenml-io/zenml

A directory traversal vulnerability exists in the zenml-io/zenml repository, specifically within the /api/v1/steps endpoint. Attackers can exploit this vulnerability by manipulating the 'logs' URI path in the request to fetch arbitrary file content, bypassing intended access restrictions. The...

CVE-2024-1738

CVE-2024-1738 affects lunary-ai/lunary, specifically the /api/evaluations route (evaluations.get). The root cause is missing project ID verification in the SQL query, enabling unauthorized users to retrieve any organization’s evaluation results by simply knowing the evaluation ID, potentially exp...

CVE-2024-1665

This CVE ID is rejected/not used and does not represent an active vulnerability entry.

CVE-2024-3028 Improper Input Validation in mintplex-labs/anything-llm

mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logofilename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the...

CVE-2023-4856

A format string vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute arbitrary commands on a specific API endpoint...

CVE-2023-4856

A format string vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute arbitrary commands on a specific API endpoint...

CVE-2023-4856

The CVE-2023-4856 entry concerns a format-string vulnerability in Lenovo SMM/SMM2 and FPC. An authenticated user could trigger execution of arbitrary commands via a specific API endpoint, due to improper handling of format strings in the affected components. The connected Red Hat, NVD, CVE lists ...

PT-2024-15530 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm repository affected versions not specified Description: A mass assignment vulnerability exists in the "/api/invite/:code" endpoint, allowing unauthorized creation of high-privileged accounts. By intercepting and...

Remote Code Execution (RCE)

aim is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper user access restriction to the RunView object, allowing for the execution of arbitrary code via a crafted query parameter to the /api/runs/search/run/ endpoint...

PT-2024-24235

Name of the Vulnerable Software and Affected Versions: tiagorlampert CHAOS version 5.0.1 Description: A Cross Site Scripting XSS vulnerability exists in tiagorlampert CHAOS. A remote attacker may be able to escalate privileges via the sendCommandHandler function in the handler.go component. A...

CVE-2024-3283

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...

CVE-2024-3025

mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted directory. This can...

CVE-2024-2195

A critical Remote Code Execution RCE vulnerability was identified in the aimhubio/aim project, specifically within the /api/runs/search/run/ endpoint, affecting versions = 3.0.0. The vulnerability resides in the runsearchapi function of the aim/web/api/runs/views.py file, where improper restricti...

CVE-2024-3283

CVE-2024-3283 concerns mintplex-labs/anything-llm. A mass-assignment flaw in the /admin/system-preferences endpoint lets users with the Manager role modify the multi_user_mode variable, enabling access to /api/system/enable-multi-user and the creation of a new admin user. The root cause is the en...

CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...

CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...

PT-2024-24905 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm affected versions not specified Description: A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The...

CVE-2024-31978

A vulnerability has been identified in SINEC NMS All versions V2.0 SP2. Affected devices allow authenticated users to export monitoring data. The corresponding API endpoint is susceptible to path traversal and could allow an authenticated attacker to download files from the file system. Under...