CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2024/06/19 6:13 a.m.•49 views

CVE-2024-5208

The CVE concerns mintplex-labs/anything-llm. The vulnerable component is the upload-link endpoint, where an uncontrolled resource‑consumption (DoS) issue can be triggered by sending invalid upload requests. Specifically, an empty body with Content-Length: 0 or a body of arbitrary content (e.g., a...

6.5CVSS6.5AI score0.00116EPSS

Positive Technologies•added 2024/06/19 12:0 a.m.•1 views

PT-2024-35120 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm affected versions not specified Description: An uncontrolled resource consumption issue exists in the "upload-link" endpoint, allowing attackers to cause a denial of service DOS by shutting down the server through...

6.5CVSS6.4AI score0.00116EPSS

Exploits1References7

CVE•added 2024/06/12 11:33 a.m.•57 views

CVE-2024-5211

CVE-2024-5211 : Concrete details across multiple sources show a path traversal vulnerability in mintplex-labs/anything-llm. By bypassing the normalizePath() check during the logo-setting flow, an attacker can read, delete, or overwrite the file anythingllm.db and other files in the storage direct...

9.1CVSS9.3AI score0.00048EPSS

OSV•added 2024/06/06 7:16 p.m.•11 views

CVE-2024-3153

mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service DOS condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents...

6.5CVSS6.7AI score

NVD•added 2024/06/06 7:16 p.m.•11 views

CVE-2024-3166

A Cross-Site Scripting XSS vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, whic...

9.6CVSS0.00287EPSS

NVD•added 2024/06/06 7:16 p.m.•13 views

CVE-2024-3149

A Server-Side Request Forgery SSRF vulnerability exists in the upload link feature of mintplex-labs/anything-llm. This feature, intended for users with manager or admin roles, processes uploaded links through an internal Collector API using a headless browser. An attacker can exploit this by...

9.6CVSS0.00132EPSS

OSV•added 2024/06/06 7:16 p.m.•10 views

CVE-2024-3149

8.8CVSS6.9AI score

OSV•added 2024/06/06 7:16 p.m.•13 views

CVE-2024-3166

9.6CVSS6.6AI score

OSV•added 2024/06/06 7:16 p.m.•12 views

CVE-2024-3150

In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. The issue arises from improper input validation when handling HTTP POST requests to the endpoint...

8.8CVSS7.1AI score

NVD•added 2024/06/06 7:16 p.m.•11 views

CVE-2024-3150

8.8CVSS0.00552EPSS

NVD•added 2024/06/06 7:16 p.m.•9 views

CVE-2024-3153

6.5CVSS0.00138EPSS

NVD•added 2024/06/06 7:15 p.m.•9 views

CVE-2024-3110

A stored Cross-Site Scripting XSS vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. The vulnerability arises from the application's failure to properly sanitize and validate user-supplied URLs before embedding them...

8.7CVSS0.00216EPSS

OSV•added 2024/06/06 7:15 p.m.•8 views

CVE-2024-3102

A JSON Injection vulnerability exists in the mintplex-labs/anything-llm application, specifically within the username parameter during the login process at the /api/request-token endpoint. The vulnerability arises from improper handling of values, allowing attackers to perform brute force attacks...

5.3CVSS7.3AI score

CVE•added 2024/06/06 6:53 p.m.•47 views

CVE-2024-3150

In mintplex-labs/anything-llm, a vulnerability exists in the thread update flow where HTTP POSTs to /workspace/:slug/thread/:threadSlug/update incorrectly validate user input before passing data to the workspace_thread Prisma model. This flaw enables users with Default or Manager roles to craft a...

8.8CVSS8.3AI score0.00552EPSS

Cvelist•added 2024/06/06 6:53 p.m.•14 views

CVE-2024-3150 Privilege Escalation in mintplex-labs/anything-llm

8.1CVSS0.00552EPSS

Vulnrichment•added 2024/06/06 6:53 p.m.•11 views

CVE-2024-3150 Privilege Escalation in mintplex-labs/anything-llm

8.1CVSS7.1AI score0.00552EPSS

CVE•added 2024/06/06 6:43 p.m.•90 views

CVE-2024-3149

The CVE-2024-3149 entry describes a Server-Side Request Forgery (SSRF) in the upload link feature of mintplex-labs/anything-llm. The vulnerability affects the upload workflow used by users with manager/admin roles, where uploaded links are processed via an internal Collector API using a headless ...

9.6CVSS9.1AI score0.00132EPSS

Cvelist•added 2024/06/06 6:43 p.m.•17 views

CVE-2024-3149 SSRF in mintplex-labs/anything-llm

9.6CVSS0.00132EPSS

Vulnrichment•added 2024/06/06 6:40 p.m.•18 views

CVE-2024-3153 Uncontrolled Resource Consumption in mintplex-labs/anything-llm

6.5CVSS6.7AI score0.00138EPSS