
We found results for “”
CVE-2024-10109
Good to know:

Date: March 20, 2025
A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". This access enables them to modify the model's API key and base path, leading to potential API key leakage and denial of service on chats.
Severity Score
Severity Score
Weakness Type (CWE)
Incorrect Authorization
CWE-863Top Fix

Upgrade Version
Upgrade to version https://github.com/mintplex-labs/anything-llm.git - v1.4.0
CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | LOW |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | LOW |
Availability (A): | HIGH |