8.8
CVE-2024-3152
- EPSS 0.57%
- Veröffentlicht 06.06.2024 18:15:17
- Zuletzt bearbeitet 15.10.2025 13:15:42
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
LoginPrivilege Escalation and Local File Inclusion in mintplex-labs/anything-llm
mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform Server-Side Request Forgery (SSRF) attacks. The vulnerabilities are present in the `/request-token`, `/workspace/:slug/thread/:threadSlug/update`, `/system/remove-logo`, `/system/logo`, and collector's `/process` endpoints. These issues are due to the application's failure to properly validate user input before passing it to `prisma` functions and other critical operations. Affected versions include the latest version prior to 1.0.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mintplexlabs ≫ Anythingllm Version < 1.0.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.57% | 0.426 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security@huntr.dev | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-755 Improper Handling of Exceptional Conditions
The product does not handle or incorrectly handles an exceptional condition.
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
https://github.com/mintplex-labs/anything-llm/commit/200bd7f0615347ed2efc07903d510e5a208b0afc
https://huntr.com/bounties/46034fa0-d623-49f8-8ee8-390390181373