CVE-2024-3101

Exploit

EPSS 0.11%
Veröffentlicht 10.04.2024 17:15:56
Zuletzt bearbeitet 09.07.2025 19:49:24
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mintplexlabs ≫ Anythingllm Version < 1.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.295

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
security@huntr.dev	6.7	1.2	5.5	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://github.com/mintplex-labs/anything-llm/commit/52fac844221a9b951d08ceb93c4c014e9397b1f2

Patch

https://huntr.com/bounties/c114c03e-3348-450f-88f7-538502047bcc

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-3101

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-3101

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-3101

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-3101