2 matches found
CVE-2024-0798 Privilege Escalation in mintplex-labs/anything-llm
A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this...
CVE-2024-0798
The CVE-2024-0798 entry relates to mintplex-labs/anything-llm, where users with the default role can delete documents uploaded by admin via a crafted DELETE to /api/system/remove-document. The root cause is improper access-control checks that allow unauthorized document deletion, risking data int...