6.5

CVE-2024-5213

Exploit

EPSS 0.25%
Veröffentlicht 20.06.2024 03:15:09
Zuletzt bearbeitet 15.10.2025 13:15:46
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mintplexlabs ≫ Anythingllm Version <= 1.5.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.477

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security@huntr.dev	5.3	1.6	3.6	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-201 Insertion of Sensitive Information Into Sent Data

The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.

https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c

Patch

https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-5213

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-5213

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-5213

EUVD