9.1
CVE-2024-0404
- EPSS 0.78%
- Veröffentlicht 16.04.2024 00:15:07
- Zuletzt bearbeitet 09.07.2025 19:37:47
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
Mass Assignment Vulnerability in mintplex-labs/anything-llm
A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mintplexlabs ≫ Anythingllm Version < 1.0.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.78% | 0.512 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@huntr.dev | 9.1 | 3.9 | 5.2 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
https://github.com/mintplex-labs/anything-llm/commit/8cd3a92c660b202655d99bee90b2864694c99946
https://huntr.com/bounties/b4355bae-766a-4bb0-942b-607bc491b23d