67 matches found
CVE-2024-6842
AnythingLLM (mintplex-labs/anything-llm) version 1.5.5 contains an information-disclosure vulnerability via the /setup-complete (or /api/setup-complete) endpoint, allowing remote, unauthenticated access to currentSettings that can include sensitive API keys for search engines. This enables potent...
CVE-2024-0759
CVE-2024-0759 involves AnythingLLM enabling an attacker with internal-network access and manager/admin privileges to link-scrape IPs of other services on the same network. The root cause is exposure via a link collector that can be used without authentication, allowing internal IP discovery throu...
CVE-2024-0550
CVE-2024-0550 describes a traversal-like flaw where a user with privileged rights (manager/admin) can set their profile picture via the frontend API using a relative filepath, then invoke the PFP GET API to read/download arbitrary files. This is evidenced by multiple sources (e.g., Red Hat, NVD, ...
CVE-2024-0455
CVE-2024-0455 concerns AnythingLLM where a web scraper can trigger a server-side request to the AWS EC2 metadata URL 169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance. If accessed by a user with manager/admin permissions (and in single-user mode) from wit...
CVE-2024-0798
The CVE-2024-0798 entry relates to mintplex-labs/anything-llm, where users with the default role can delete documents uploaded by admin via a crafted DELETE to /api/system/remove-document. The root cause is improper access-control checks that allow unauthorized document deletion, risking data int...
CVE-2024-3283
CVE-2024-3283 concerns mintplex-labs/anything-llm. A mass-assignment flaw in the /admin/system-preferences endpoint lets users with the Manager role modify the multi_user_mode variable, enabling access to /api/system/enable-multi-user and the creation of a new admin user. The root cause is the en...
CVE-2024-0436
Technical details (affected product/version, root cause specifics, exploit scenarios, or remediation) are not publicly available in the provided Connected documents. Monitor for updates from NVD/Red Hat/OSV and other feeds to obtain concrete data.
CVE-2024-0551
CVE-2024-0551 describes an access-control error that allows exporting the database and related data via the default user role for users with prior system access. The export mechanism uses a deterministic name, and the download is initiated by the UI before the export is deleted from the system, i...
CVE-2024-3025
The CVE-2024-3025 entry affects mintplex-labs/anything-llm, where the logo filename handling allows path traversal due to insufficient input validation. Attackers can reference files outside the restricted directory via the logo upload endpoint, exposing the application’s database and potentially...
CVE-2024-0763
CVE-2024-0763 describes an improper validation of the document removal parameter that enables path traversal, allowing an authenticated user to delete an arbitrary folder (recursively) on a remote server. The connected documents consistently state the root cause as bad input sanitization and conf...
CVE-2024-0440
CVE-2024-0440 describes an SSRF-type flaw where an attacker with permission to submit a link or submit via POST a link using the file:// protocol can introspect host files and other relatively stored files. Affected exposure is described across multiple feeds; CVSS data vary by source (NVD: 3.1, ...
CVE-2024-0404
CVE-2024-0404 describes a mass-assignment vulnerability in the mintplex-labs/anything-llm repository, specifically the "/api/invite/:code" endpoint. The issue allows an attacker to inject a privileged role (admin) during account creation via an invitation link by exploiting missing property allow...
CVE-2024-0435
CVE-2024-0435 describes a self-targeted cross-site scripting (XSS) flaw in a chat feature. The vulnerability allows a user to inject XSS payloads into a chat message that executes when the message is sent and on subsequent page loads. According to the sources, exploitation requires the user to ha...
CVE-2024-3149
The CVE-2024-3149 entry describes a Server-Side Request Forgery (SSRF) in the upload link feature of mintplex-labs/anything-llm. The vulnerability affects the upload workflow used by users with manager/admin roles, where uploaded links are processed via an internal Collector API using a headless ...
CVE-2024-4287
In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update flow. The flaw occurs when JSON data sent via HTTP POST to /api/workspace/:workspace-slug/update is not properly validated/formatted, allowing the payload to be executed as part of a dat...
CVE-2024-0439
CVE-2024-0439 describes a privilege-management flaw where manager-level users can modify restricted settings via direct HTTP requests despite UI-level protections. The issue is not labeled as critical in the sources, but multiple advisories note it should be patched to enforce the intended permis...
CVE-2024-3028
CVE-2024-3028 affects mintplex-labs/anything-llm. The issue is improper input validation in the system-preferences API where manipulating the logo_filename parameter can cause reading of arbitrary files (including .env) and deletion via remove-logo. Root cause: lack of proper sanitization of user...
CVE-2024-7783
The CVE-2024-7783 entry concerns mintplex-labs/anything-llm. The vulnerability arises from storing a password inside a JWT used as a bearer token in single-user mode; when the token is decoded, the password is exposed in plaintext. This exposes sensitive credentials to anyone who gains access to ...
CVE-2024-3033
The CVE-2024-3033 issue affects mintplex-labs/anything-llm, specifically the "/api/v/" endpoint and its sub-routes. It is described as an improper authorization vulnerability that allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and del...
CVE-2024-3104
CVE-2024-3104 affects mintplex-labs/anything-llm. The vulnerability arises from improper handling of environment variables, enabling remote code execution via POST /api/system/update-env. Affected versions are prior to 1.0.0; fix is in 1.0.0. Documented impact includes code execution on the host,...
CVE-2024-3570
The CVE-2024-3570 entry affects the chat functionality of mintplex-labs/anything-llm. It describes a stored XSS flaw where user and ChatBot input are not properly sanitized, specifically via dangerouslySetInnerHTML, allowing attackers to execute arbitrary JavaScript in a user’s session. Impacted ...
CVE-2024-5213
CVE-2024-5213 affects mintplex-labs/anything-llm ≤ 1.5.3. The issue arises because the frontend response to login (/api/request-token) and user creation (/api/admin/users/new) includes the entire User object, which contains the bcrypt password hash. This causes exposure of sensitive information e...
CVE-2024-3102
CVE-2024-3102 affects mintplex-labs/anything-llm via a JSON Injection in the login flow, specifically the username parameter at /api/request-token. The root cause is improper handling of values, enabling brute-force attempts without prior username knowledge and, once the password is known, blind ...
CVE-2024-3569
The CVE-2024-3569 entry concerns the mintplex-labs/anything-llm repository, where running in 'just me' mode with a password enables a DoS via the validatedRequest middleware when an attacker sends a crafted Authorization header. Public documents describe uncontrolled resource consumption leading ...
CVE-2024-3101
CVE-2024-3101 affects mintplex-labs/anything-llm. The vulnerability arises from improper input validation in handling multi_user_mode, where sending a crafted request with multi_user_mode set to false can deactivate Multi-User Mode. This enables creation of a new admin user without a password, le...
CVE-2024-22422
CVE-2024-22422 affects AnythingLLM. The vulnerability is in the public, unauthenticated data-export API route that uses the filename parameter to export files. A crafted input can bypass directory-filtering and crash the server when the export is deleted, yielding an unauthenticated Denial of Ser...
CVE-2024-2913
CVE-2024-2913 affects mintplex-labs/anything-llm in the user invite acceptance flow. Root cause: lack of validation for concurrent requests creates a race condition that lets multiple accounts be created from a single invite link intended for one user. Impact: unauthorized user creation without d...
CVE-2024-8249
CVE-2024-8249 affects mintplex-labs/anything-llm, specifically the embeddable chat API. The issue is an unauthenticated Denial of Service triggered by sending a malformed JSON payload to the API endpoint, causing a server crash via an uncaught exception. Affected version: git 6dc3642. Remediation...
CVE-2024-8251
CVE-2024-8251 affects mintplex-labs/anything-llm prior to version 1.2.2. The vulnerability resides in the API endpoint "/embed/:embedId/stream-chat" where user-provided JSON is passed directly to the Prisma where clause, enabling Prisma injection. An attacker can supply crafted JSON such as {"ses...
CVE-2024-0765
The CVE-2024-0765 entry concerns AnythingLLM where a default user on a multi‑user instance can call the /export-data endpoint, unzip/read the export, and exfiltrate system data at the saved state. The vulnerability relies on export functionality accessible to users with explicit system access at ...
CVE-2023-5833
The connected Huntr document provides concrete details for CVE-2023-5833: an improper access control flaw in mintplex-labs/anything-llm prior to 0.1.0 that allows overwriting backend environment variables via the /api/system/update-env endpoint. The vulnerability arises from how KEY_MAPPING expos...
CVE-2024-0549
The CVE-2024-0549 entry concerns mintplex-labs/anything-llm and describes a relative path traversal in deletion requests. The root cause is insufficient input validation/normalization when handling file and folder deletion, allowing an authenticated default-role attacker to delete files (includin...
CVE-2024-0795
CVE-2024-0795 describes a backend authentication/authorization flaw: if an attacker has admin or manager access, there is no backend check to prevent creating a new admin user, enabling privilege escalation. Multiple sources assign a high impact (CVSS ~7.2). The exact affected products/versions a...
CVE-2024-5211
CVE-2024-5211 : Concrete details across multiple sources show a path traversal vulnerability in mintplex-labs/anything-llm. By bypassing the normalizePath() check during the logo-setting flow, an attacker can read, delete, or overwrite the file anythingllm.db and other files in the storage direct...
CVE-2024-3153
CVE-2024-3153 affects mintplex-labs/anything-llm. An uncontrolled resource consumption vulnerability exists in the upload file endpoint, enabling a denial of service by sending an invalid upload request. Documented impact is DOS with availability impact described; no official fix/version is provi...
CVE-2024-3279
The CVE concerns mintplex-labs/anything-llm, specifically the import endpoint. An improper access control flaw allegedly allows anonymous, unauthenticated users to import their own database file, potentially deleting or spoofing the existing anythingllm.db and enabling serving malicious data or c...
CVE-2024-4284
CVE-2024-4284 affects mintplex-labs/anything-llm (versions prior to 1.0.0). The vulnerability allows a DoS by changing a user’s id to 0, enabling a manager/admin to render a target account inaccessible and cause uncontrolled resource consumption. Root cause: lack of input validation/sanitization ...
CVE-2023-4897
CVE-2023-4897 describes a Relative Path Traversal in mintplex-labs/anything-llm prior to 0.0.1. The vulnerability stems from insufficient validation of the filename parameter in the data-exports endpoint, allowing a crafted request to traverse directories and access sensitive local files as demon...
CVE-2024-3029
The CVE-2024-3029 issue affects mintplex-labs/anything-llm. A malformed JSON payload to /system/enable-multi-user triggers an error caught by a catch block that deletes all users and disables multi_user_mode, potentially allowing an attacker to remove existing users and create a new admin without...
CVE-2024-3110
Concretely, CVE-2024-3110 affects mintplex-labs/anything-llm before version 1.0.0. The root cause is improper sanitization/validation of user-supplied URLs when embedding them as external links with icons, allowing a stored XSS via javascript: payloads. Exploitation requires user interaction (e.g...
CVE-2023-5832
CVE-2023-5832 affects mintplex-labs/anything-llm prior to 0.1.0. Root cause: improper input validation in the HTTP API that handles a filename parameter, enabling path traversal and, in some reports, arbitrary file deletion (PoC shows deletion of files like ../../server/storage/anythingllm.db). I...
CVE-2024-3150
In mintplex-labs/anything-llm, a vulnerability exists in the thread update flow where HTTP POSTs to /workspace/:slug/thread/:threadSlug/update incorrectly validate user input before passing data to the workspace_thread Prisma model. This flaw enables users with Default or Manager roles to craft a...
CVE-2024-5208
The CVE concerns mintplex-labs/anything-llm. The vulnerable component is the upload-link endpoint, where an uncontrolled resource‑consumption (DoS) issue can be triggered by sending invalid upload requests. Specifically, an empty body with Content-Length: 0 or a body of arbitrary content (e.g., a...
CVE-2024-5216
CVE-2024-5216 affects mintplex-labs/anything-llm. The root cause is the application not limiting the size of usernames, enabling a DoS through denial of service via extremely large username values. Resulting impact is an unresponsive user management panel, preventing admins from editing, suspendi...
CVE-2024-13059
CVE-2024-13059 affects mintplex-labs/anything-llm prior to 1.3.1. The vulnerability arises from improper handling of non-ASCII filenames in the multer library, where filename transformations can introduce ../ sequences that are not sanitized. This enables path traversal and arbitrary file writes ...
CVE-2024-3152
The CVE-2024-3152 entry for mintplex-labs/anything-llm has concrete technical details in the connected records: multiple endpoints suffer from improper input validation passed to Prisma and other critical operations, enabling privilege escalation from a default user to admin, read/delete of arbit...
CVE-2024-10109
CVE-2024-10109 affects the mintplex-labs/anything-llm repository (commit 5c40419). Affected component: API endpoint /api/system/custom-models, exposed to low-privilege users. Root cause described as insufficient authorization allowing access to a sensitive endpoint, enabling modification of the m...
CVE-2024-10513
CVE-2024-10513 describes a path traversal in mintplex-labs/anything-llm prior to 1.2.2 via the /api/document/move-files endpoint in the document uploads manager. An attacker with the manager role can relocate the anythingllm.db database to a publicly accessible directory, then download and delete...
CVE-2024-7771
CVE-2024-7771 affects the Dockerized mintplex-labs/anything-llm (latest digest 1d9452da2b92). The issue is in the localWhisper audio transcription path: resampling from 1 Hz to 16000 Hz can quickly exhaust memory, causing the Docker container to be killed by the daemon and leading to a denial of ...
CVE-2024-8248
CVE-2024-8248 affects mintplex-labs/anything-llm (commit 296f041). The vulnerability occurs in the project’s normalizePath function, enabling path traversal that can read/write arbitrary files in the storage directory and potentially escalate privileges from manager to admin. Connected sources co...