CVE-2024-2913

Exploit

EPSS 0.11%
Veröffentlicht 07.05.2024 00:15:08
Zuletzt bearbeitet 09.07.2025 19:32:48
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of multiple user accounts from a single invite link intended for only one user. This bypasses the intended security mechanism that restricts invite acceptance to a single user, leading to unauthorized user creation without detection in the invite tab. The issue is due to the lack of validation for concurrent requests in the backend.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mintplexlabs ≫ Anythingllm Version <= 1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.307

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@huntr.dev	6.5	3.9	2.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

https://huntr.com/bounties/a3c69faf-cca0-4c10-8739-57e5bef7a95f

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-2913

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-2913

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-2913

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-2913