CVE-2024-3033

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specifi...

CVE-2024-5211

A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the normalizePath function, intended to defend against path traversal attacks. This vulnerability enables the manager to read, delete, or overwrite the 'anythingllm.db' database file and other files stored in...

CVE-2024-0798

A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this...

CVE-2024-7783 Improper Storage of Sensitive Information in Bearer Token in mintplex-labs/anything-llm

mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT JSON Web Token used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of...

AnythingLLM 安全漏洞

AnythingLLM is an all-in-one AI application open-sourced by Mintplex. A security vulnerability exists in versions of AnythingLLM prior to 1.0.3, which stems from sensitive information being incorrectly stored in a JWT used as a token bearer in single-user mode, which when decoded displays the...

CVE-2024-3279

An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of...

CVE-2024-3279

An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of...

CVE-2024-3279 Improper Access Control in mintplex-labs/anything-llm

An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of...

CVE-2024-3279 Improper Access Control in mintplex-labs/anything-llm

An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of...

CVE-2024-3279

The CVE concerns mintplex-labs/anything-llm, specifically the import endpoint. An improper access control flaw allegedly allows anonymous, unauthenticated users to import their own database file, potentially deleting or spoofing the existing anythingllm.db and enabling serving malicious data or c...

CVE-2024-5216

CVE-2024-5216 affects mintplex-labs/anything-llm. The root cause is the application not limiting the size of usernames, enabling a DoS through denial of service via extremely large username values. Resulting impact is an unresponsive user management panel, preventing admins from editing, suspendi...

CVE-2024-5216 Denial of Service in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service DoS condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the...

CVE-2024-5216 Denial of Service in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service DoS condition due to uncontrolled resource consumption. Specifically, the issue arises from the application's failure to limit the size of usernames, enabling attackers to create users with excessively bulky texts in the...

CVE-2024-5213

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

CVE-2024-5213

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

CVE-2024-5213 Exposure of Sensitive Information in mintplex-labs/anything-llm

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

CVE-2024-5213 Exposure of Sensitive Information in mintplex-labs/anything-llm

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login POST /api/request-token and after account creations POST /api/admin/users/new. This exposure occurs because the entire User object,...

CVE-2024-5208

An uncontrolled resource consumption vulnerability exists in the upload-link endpoint of mintplex-labs/anything-llm. This vulnerability allows attackers to cause a denial of service DOS by shutting down the server through sending invalid upload requests. Specifically, the server can be made to sh...

CVE-2024-5208

An uncontrolled resource consumption vulnerability exists in the upload-link endpoint of mintplex-labs/anything-llm. This vulnerability allows attackers to cause a denial of service DOS by shutting down the server through sending invalid upload requests. Specifically, the server can be made to sh...

CVE-2024-5208 Uncontrolled Resource Consumption in mintplex-labs/anything-llm

An uncontrolled resource consumption vulnerability exists in the upload-link endpoint of mintplex-labs/anything-llm. This vulnerability allows attackers to cause a denial of service DOS by shutting down the server through sending invalid upload requests. Specifically, the server can be made to sh...