CVE-2024-3153 Uncontrolled Resource Consumption in mintplex-labs/anything-llm

mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...

CVE-2024-3153

CVE-2024-3153 affects mintplex-labs/anything-llm. An uncontrolled resource consumption vulnerability exists in the upload file endpoint, enabling a denial of service by sending an invalid upload request. Documented impact is DOS with availability impact described; no official fix/version is provi...

CVE-2024-3166

Summary: CVE-2024-3166 affects mintplex-labs/anything-llm, including desktop v1.2.0 to v1.4.1 and the web app. The vulnerability is an XSS in the feature that fetches and embeds external website content into workspaces, with a route to Remote Code Execution in the desktop app due to Electron sett...

CVE-2024-3166 Cross-Site Scripting (XSS) Vulnerability in mintplex-labs/anything-llm

A Cross-Site Scripting XSS vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, whic...

CVE-2024-3166 Cross-Site Scripting (XSS) Vulnerability in mintplex-labs/anything-llm

A Cross-Site Scripting XSS vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, whic...

CVE-2024-3102 JSON Injection in mintplex-labs/anything-llm

A JSON Injection vulnerability exists in the mintplex-labs/anything-llm application, specifically within the username parameter during the login process at the /api/request-token endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks...

CVE-2024-3102

CVE-2024-3102 affects mintplex-labs/anything-llm via a JSON Injection in the login flow, specifically the username parameter at /api/request-token. The root cause is improper handling of values, enabling brute-force attempts without prior username knowledge and, once the password is known, blind ...

CVE-2024-3102 JSON Injection in mintplex-labs/anything-llm

A JSON Injection vulnerability exists in the mintplex-labs/anything-llm application, specifically within the username parameter during the login process at the /api/request-token endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks...

CVE-2024-3104

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the POST /api/system/update-env endpoint, which allows for the execution of...

CVE-2024-3152

mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform...

CVE-2024-3033

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specifi...

CVE-2024-3104

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the POST /api/system/update-env endpoint, which allows for the execution of...

CVE-2024-3110 Stored XSS leading to admin account takeover in mintplex-labs/anything-llm

A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them...

CVE-2024-3104

CVE-2024-3104 affects mintplex-labs/anything-llm. The vulnerability arises from improper handling of environment variables, enabling remote code execution via POST /api/system/update-env. Affected versions are prior to 1.0.0; fix is in 1.0.0. Documented impact includes code execution on the host,...

CVE-2024-3104 Remote Code Execution in mintplex-labs/anything-llm

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the POST /api/system/update-env endpoint, which allows for the execution of...

CVE-2024-3104 Remote Code Execution in mintplex-labs/anything-llm

A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the POST /api/system/update-env endpoint, which allows for the execution of...

CVE-2024-3033

The CVE-2024-3033 issue affects mintplex-labs/anything-llm, specifically the "/api/v/" endpoint and its sub-routes. It is described as an improper authorization vulnerability that allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and del...

CVE-2024-3033 Improper Authorization in mintplex-labs/anything-llm

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specifi...

CVE-2024-3033 Improper Authorization in mintplex-labs/anything-llm

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specifi...

CVE-2024-3152 Privilege Escalation and Local File Inclusion in mintplex-labs/anything-llm

mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform...