165 matches found
CVE-2024-3153
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...
CVE-2024-3149
A Server-Side Request Forgery SSRF vulnerability exists in the upload link feature of mintplex-labs/anything-llm. This feature, intended for users with manager or admin roles, processes uploaded links through an internal Collector API using a headless browser. An attacker can exploit this by...
CVE-2024-3150
In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. The issue arises from improper input validation when handling HTTP POST requests to the endpoint...
CVE-2024-3102
A JSON Injection vulnerability exists in the mintplex-labs/anything-llm application, specifically within the username parameter during the login process at the /api/request-token endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks...
CVE-2024-3110
A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them...
CVE-2024-3150 Privilege Escalation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. The issue arises from improper input validation when handling HTTP POST requests to the endpoint...
CVE-2024-3150 Privilege Escalation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. The issue arises from improper input validation when handling HTTP POST requests to the endpoint...
CVE-2024-3150
In mintplex-labs/anything-llm, a vulnerability exists in the thread update flow where HTTP POSTs to /workspace/:slug/thread/:threadSlug/update incorrectly validate user input before passing data to the workspace_thread Prisma model. This flaw enables users with Default or Manager roles to craft a...
CVE-2024-3149 SSRF in mintplex-labs/anything-llm
A Server-Side Request Forgery SSRF vulnerability exists in the upload link feature of mintplex-labs/anything-llm. This feature, intended for users with manager or admin roles, processes uploaded links through an internal Collector API using a headless browser. An attacker can exploit this by...
CVE-2024-3149
The CVE-2024-3149 entry describes a Server-Side Request Forgery (SSRF) in the upload link feature of mintplex-labs/anything-llm. The vulnerability affects the upload workflow used by users with manager/admin roles, where uploaded links are processed via an internal Collector API using a headless ...
CVE-2024-3153 Uncontrolled Resource Consumption in mintplex-labs/anything-llm
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...
CVE-2024-3153 Uncontrolled Resource Consumption in mintplex-labs/anything-llm
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...
CVE-2024-3153
CVE-2024-3153 affects mintplex-labs/anything-llm. An uncontrolled resource consumption vulnerability exists in the upload file endpoint, enabling a denial of service by sending an invalid upload request. Documented impact is DOS with availability impact described; no official fix/version is provi...
CVE-2024-3166 Cross-Site Scripting (XSS) Vulnerability in mintplex-labs/anything-llm
A Cross-Site Scripting XSS vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, whic...
CVE-2024-3166 Cross-Site Scripting (XSS) Vulnerability in mintplex-labs/anything-llm
A Cross-Site Scripting XSS vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, whic...
CVE-2024-3166
Summary: CVE-2024-3166 affects mintplex-labs/anything-llm, including desktop v1.2.0 to v1.4.1 and the web app. The vulnerability is an XSS in the feature that fetches and embeds external website content into workspaces, with a route to Remote Code Execution in the desktop app due to Electron sett...
CVE-2024-3102 JSON Injection in mintplex-labs/anything-llm
A JSON Injection vulnerability exists in the mintplex-labs/anything-llm application, specifically within the username parameter during the login process at the /api/request-token endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks...
CVE-2024-3102
CVE-2024-3102 affects mintplex-labs/anything-llm via a JSON Injection in the login flow, specifically the username parameter at /api/request-token. The root cause is improper handling of values, enabling brute-force attempts without prior username knowledge and, once the password is known, blind ...
CVE-2024-3102 JSON Injection in mintplex-labs/anything-llm
A JSON Injection vulnerability exists in the mintplex-labs/anything-llm application, specifically within the username parameter during the login process at the /api/request-token endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks...
CVE-2024-3152
mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform...