PT-2024-24131 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm affected versions not specified Description: The issue is related to an uncontrolled resource consumption vulnerability in the upload file endpoint, which can lead to a denial of service DOS condition. Specifically,...

PT-2024-24130 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm versions prior to 1.0.0 Description: The issue is due to improper input validation in several endpoints, allowing an attacker to escalate privileges from a default user role to an admin role, read and delete arbitra...

CVE-2024-4084

A Server-Side Request Forgery SSRF vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172...

CVE-2024-4084

A Server-Side Request Forgery SSRF vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172...

CVE-2024-4084 SSRF vulnerability in mintplex-labs/anything-llm

A Server-Side Request Forgery SSRF vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172...

CVE-2024-4084 SSRF vulnerability in mintplex-labs/anything-llm

A Server-Side Request Forgery SSRF vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172...

CVE-2024-4286

The CVE-2024-4286 entry refers to Mintplex-Labs’ anything-llm application with improper neutralization of elements in an expression language statement. The vulnerability arises from how user modifications by managers/admins are handled, allowing modification of all attributes of the user entity w...

CVE-2024-4287 Improper Input Validation in mintplex-labs/anything-llm

In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to /api/workspace/:workspace-slug/update, allowing it to be executed as part of ...

CVE-2024-4284

A vulnerability in mintplex-labs/anything-llm allows for a denial of service DoS condition through the modification of a user's id attribute to a value of 0. This issue affects the current version of the software, with the latest commit id 57984fa85c31988b2eff429adfc654c46e0c342a. By exploiting...

CVE-2024-4284

CVE-2024-4284 affects mintplex-labs/anything-llm (versions prior to 1.0.0). The vulnerability allows a DoS by changing a user’s id to 0, enabling a manager/admin to render a target account inaccessible and cause uncontrolled resource consumption. Root cause: lack of input validation/sanitization ...

CVE-2024-4284 Denial of Service in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows for a denial of service DoS condition through the modification of a user's id attribute to a value of 0. This issue affects the current version of the software, with the latest commit id 57984fa85c31988b2eff429adfc654c46e0c342a. By exploiting...

CVE-2024-4284 Denial of Service in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows for a denial of service DoS condition through the modification of a user's id attribute to a value of 0. This issue affects the current version of the software, with the latest commit id 57984fa85c31988b2eff429adfc654c46e0c342a. By exploiting...

CVE-2024-2913 Race Condition Vulnerability in mintplex-labs/anything-llm

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...

CVE-2024-2913

CVE-2024-2913 affects mintplex-labs/anything-llm in the user invite acceptance flow. Root cause: lack of validation for concurrent requests creates a race condition that lets multiple accounts be created from a single invite link intended for one user. Impact: unauthorized user creation without d...

CVE-2024-2913 Race Condition Vulnerability in mintplex-labs/anything-llm

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user...

CVE-2024-0404

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...

CVE-2024-3028 Improper Input Validation in mintplex-labs/anything-llm

mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logofilename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the...

CVE-2024-0549 Relative Path Traversal in mintplex-labs/anything-llm

mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input...

CVE-2024-3028 Improper Input Validation in mintplex-labs/anything-llm

mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logofilename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the...

CVE-2024-0404 Mass Assignment Vulnerability in mintplex-labs/anything-llm

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker...