165 matches found
CVE-2024-2913 Race Condition Vulnerability in mintplex-labs/anything-llm
A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...
CVE-2024-2913 Race Condition Vulnerability in mintplex-labs/anything-llm
A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...
CVE-2024-2913
CVE-2024-2913 affects mintplex-labs/anything-llm in the user invite acceptance flow. Root cause: lack of validation for concurrent requests creates a race condition that lets multiple accounts be created from a single invite link intended for one user. Impact: unauthorized user creation without d...
CVE-2024-0549 Relative Path Traversal in mintplex-labs/anything-llm
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input...
CVE-2024-3028 Improper Input Validation in mintplex-labs/anything-llm
mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logofilename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the...
CVE-2024-3028 Improper Input Validation in mintplex-labs/anything-llm
mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logofilename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the...
CVE-2024-0404 Mass Assignment Vulnerability in mintplex-labs/anything-llm
A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...
CVE-2024-0404 Mass Assignment Vulnerability in mintplex-labs/anything-llm
A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...
CVE-2024-0404 Mass Assignment Vulnerability in mintplex-labs/anything-llm
A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...
CVE-2024-3569
A Denial of Service DoS vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the validatedRequest middleware with a specially crafte...
CVE-2024-3570
A stored Cross-Site Scripting XSS vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to...
CVE-2024-3101
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multiusermode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This acti...
CVE-2024-3570 Stored XSS leading to Admin Account Takeover in mintplex-labs/anything-llm
A stored Cross-Site Scripting XSS vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to...
CVE-2024-3570
The CVE-2024-3570 entry affects the chat functionality of mintplex-labs/anything-llm. It describes a stored XSS flaw where user and ChatBot input are not properly sanitized, specifically via dangerouslySetInnerHTML, allowing attackers to execute arbitrary JavaScript in a user’s session. Impacted ...
CVE-2024-3570 Stored XSS leading to Admin Account Takeover in mintplex-labs/anything-llm
A stored Cross-Site Scripting XSS vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to...
CVE-2024-3101 Privilege Escalation via Improper Input Validation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multiusermode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This acti...
CVE-2024-3101 Privilege Escalation via Improper Input Validation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multiusermode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This acti...
CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...
CVE-2024-3283 Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multiusermode' system variable, enabling...
CVE-2024-3283
CVE-2024-3283 concerns mintplex-labs/anything-llm. A mass-assignment flaw in the /admin/system-preferences endpoint lets users with the Manager role modify the multi_user_mode variable, enabling access to /api/system/enable-multi-user and the creation of a new admin user. The root cause is the en...