Home > Vulnerability Database > CVE-2024-10513

Mend.io Vulnerability Database

CVE-2024-10513

Good to know:

Date: March 20, 2025

A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the 'manager' role to access and manipulate the 'anythingllm.db' database file. By exploiting the vulnerable endpoint '/api/document/move-files', an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss.

Severity Score

7.2

Related Resources (4)

Url: https://github.com/mintplex-labs/anything-llm/commit/47a5c7126c20e2277ee56e2c7ee11990886a40a7

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-10513

Url: https://huntr.com/bounties/ad11cecf-161a-4fb1-986f-6f88272cbb9e

Url: https://www.mend.io/vulnerability-database/CVE-2024-10513

Severity Score

7.2

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version https://github.com/mintplex-labs/anything-llm.git - v1.2.2

Learn More

CVSS v3.1

Base Score:	7.2
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-10513

Good to know:

Date: March 20, 2025

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?