165 matches found
CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...
CVE-2024-3569
The CVE-2024-3569 entry concerns the mintplex-labs/anything-llm repository, where running in 'just me' mode with a password enables a DoS via the validatedRequest middleware when an attacker sends a crafted Authorization header. Public documents describe uncontrolled resource consumption leading ...
CVE-2024-3569 Denial of Service (DoS) Vulnerability in mintplex-labs/anything-llm
A Denial of Service DoS vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the validatedRequest middleware with a specially crafte...
CVE-2024-3569 Denial of Service (DoS) Vulnerability in mintplex-labs/anything-llm
A Denial of Service DoS vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the validatedRequest middleware with a specially crafte...
CVE-2024-3025 Path Traversal in mintplex-labs/anything-llm
mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted directory. This can...
CVE-2024-0798 Privilege Escalation in mintplex-labs/anything-llm
A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this...
CVE-2024-0798 Privilege Escalation in mintplex-labs/anything-llm
A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this...
CVE-2023-5833
Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0...
CVE-2023-5832
Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0...
Improper access control
Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0...
CVE-2023-5833 Improper Access Control in mintplex-labs/anything-llm
Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0...
CVE-2023-5833
The connected Huntr document provides concrete details for CVE-2023-5833: an improper access control flaw in mintplex-labs/anything-llm prior to 0.1.0 that allows overwriting backend environment variables via the /api/system/update-env endpoint. The vulnerability arises from how KEY_MAPPING expos...
CVE-2023-5833 Improper Access Control in mintplex-labs/anything-llm
Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0...
CVE-2023-5832
CVE-2023-5832 affects mintplex-labs/anything-llm prior to 0.1.0. Root cause: improper input validation in the HTTP API that handles a filename parameter, enabling path traversal and, in some reports, arbitrary file deletion (PoC shows deletion of files like ../../server/storage/anythingllm.db). I...
PT-2023-32365 · Unknown · Anything-Llm
Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 0.1.0 Description: The issue is related to improper access control in the GitHub repository mintplex-labs/anything-llm. Recommendations: For versions prior to 0.1.0, update to version 0.1.0 or late...
CVE-2023-4899
SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1...
CVE-2023-4898
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1...
CVE-2023-4899 SQL Injection in mintplex-labs/anything-llm
SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1...
CVE-2023-4899 SQL Injection in mintplex-labs/anything-llm
SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1...
CVE-2023-4899
The CVE-2023-4899 entry concerns a SQL Injection vulnerability in mintplex-labs/anything-llm (versions prior to 0.0.1). The Red Hat/NVD/NVD-derived entries align on the vulnerability class, with the Huntr PoC detailing a concrete flaw in the /api/workspace/:slug endpoint where the slug parameter ...