165 matches found
CVE-2024-3033
An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specifi...
CVE-2024-3104
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the POST /api/system/update-env endpoint, which allows for the execution of...
CVE-2024-3104
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the POST /api/system/update-env endpoint, which allows for the execution of...
CVE-2024-3110 Stored XSS leading to admin account takeover in mintplex-labs/anything-llm
A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them...
CVE-2024-3104 Remote Code Execution in mintplex-labs/anything-llm
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the POST /api/system/update-env endpoint, which allows for the execution of...
CVE-2024-3104 Remote Code Execution in mintplex-labs/anything-llm
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the POST /api/system/update-env endpoint, which allows for the execution of...
CVE-2024-3104
CVE-2024-3104 affects mintplex-labs/anything-llm. The vulnerability arises from improper handling of environment variables, enabling remote code execution via POST /api/system/update-env. Affected versions are prior to 1.0.0; fix is in 1.0.0. Documented impact includes code execution on the host,...
CVE-2024-3033 Improper Authorization in mintplex-labs/anything-llm
An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specifi...
CVE-2024-3033
The CVE-2024-3033 issue affects mintplex-labs/anything-llm, specifically the "/api/v/" endpoint and its sub-routes. It is described as an improper authorization vulnerability that allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and del...
CVE-2024-3033 Improper Authorization in mintplex-labs/anything-llm
An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specifi...
CVE-2024-3152 Privilege Escalation and Local File Inclusion in mintplex-labs/anything-llm
mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform...
CVE-2024-4084
A Server-Side Request Forgery SSRF vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172...
CVE-2024-4084 SSRF vulnerability in mintplex-labs/anything-llm
A Server-Side Request Forgery SSRF vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172...
CVE-2024-4084 SSRF vulnerability in mintplex-labs/anything-llm
A Server-Side Request Forgery SSRF vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172...
CVE-2024-4286
The CVE-2024-4286 entry refers to Mintplex-Labs’ anything-llm application with improper neutralization of elements in an expression language statement. The vulnerability arises from how user modifications by managers/admins are handled, allowing modification of all attributes of the user entity w...
CVE-2024-4287 Improper Input Validation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to /api/workspace/:workspace-slug/update, allowing it to be executed as part of ...
CVE-2024-4284
A vulnerability in mintplex-labs/anything-llm allows for a denial of service DoS condition through the modification of a user's id attribute to a value of 0. This issue affects the current version of the software, with the latest commit id 57984fa85c31988b2eff429adfc654c46e0c342a. By exploiting...
CVE-2024-4284
CVE-2024-4284 affects mintplex-labs/anything-llm (versions prior to 1.0.0). The vulnerability allows a DoS by changing a user’s id to 0, enabling a manager/admin to render a target account inaccessible and cause uncontrolled resource consumption. Root cause: lack of input validation/sanitization ...
CVE-2024-4284 Denial of Service in mintplex-labs/anything-llm
A vulnerability in mintplex-labs/anything-llm allows for a denial of service DoS condition through the modification of a user's id attribute to a value of 0. This issue affects the current version of the software, with the latest commit id 57984fa85c31988b2eff429adfc654c46e0c342a. By exploiting...
CVE-2024-4284 Denial of Service in mintplex-labs/anything-llm
A vulnerability in mintplex-labs/anything-llm allows for a denial of service DoS condition through the modification of a user's id attribute to a value of 0. This issue affects the current version of the software, with the latest commit id 57984fa85c31988b2eff429adfc654c46e0c342a. By exploiting...