Anythingllm Security Vulnerabilities and Issues — Anythingllm CVE List

Lucene search

MintplexlabsAnythingllm

9 matches found

CVE•added 2024/04/10 5:15 p.m.•103 views

CVE-2024-3025

mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted directory. This can le...

9.9CVSS9.2AI score0.00169EPSS

CVE•added 2024/04/10 5:15 p.m.•100 views

CVE-2024-3283

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enabling...

7.2CVSS7AI score0.0013EPSS

CVE•added 2024/04/16 12:15 a.m.•85 views

CVE-2024-0404

A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker c...

9.1CVSS6.7AI score0.00141EPSS

CVE•added 2024/04/16 12:15 a.m.•78 views

CVE-2024-3028

mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read sensitive files or the appli...

7.2CVSS6.9AI score0.00143EPSS

CVE•added 2024/04/10 5:15 p.m.•71 views

CVE-2024-3570

A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to ...

5.4CVSS3.9AI score0.00096EPSS

CVE•added 2024/04/10 5:15 p.m.•68 views

CVE-2024-3569

A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware with a specially craf...

7.5CVSS7.4AI score0.00197EPSS

CVE•added 2024/04/10 5:15 p.m.•67 views

CVE-2024-3101

In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This acti...

7.2CVSS6.6AI score0.00078EPSS

CVE•added 2024/04/16 12:15 a.m.•47 views

CVE-2024-3029

In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the 'multi_user_mode'. The vulnerabi...

9CVSS8.8AI score0.00151EPSS

CVE•added 2024/04/16 12:15 a.m.•46 views

CVE-2024-0549

mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input va...

8.1CVSS7.9AI score0.00248EPSS