Home > Vulnerability Database > CVE-2024-0798

Mend.io Vulnerability Database

CVE-2024-0798

Good to know:

Date: February 26, 2024

A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity.

Language: JS

Severity Score

8.1

Related Resources (4)

Url: https://github.com/mintplex-labs/anything-llm/commit/d5cde8b7c27a47ab45b05b441db16751537f1733

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-0798

Url: https://huntr.com/bounties/607f03a0-ab4d-4905-b253-3d28bbbd363c

Url: https://www.mend.io/vulnerability-database/CVE-2024-0798

Severity Score

8.1

Weakness Type (CWE)

Least Privilege Violation

CWE-272

Top Fix

Upgrade Version

Upgrade to version d5cde8b7c27a47ab45b05b441db16751537f1733

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-0798

Good to know:

Date: February 26, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?