6.5
CVE-2024-5213
- EPSS 0.46%
- Veröffentlicht 20.06.2024 03:15:09
- Zuletzt bearbeitet 15.10.2025 13:15:46
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
LoginExposure of Sensitive Information in mintplex-labs/anything-llm
In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Mintplexlabs ≫ Anythingllm Version <= 1.5.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.46% | 0.364 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| security@huntr.dev | 5.3 | 1.6 | 3.6 |
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-201 Insertion of Sensitive Information Into Sent Data
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.
https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c
https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d