Home > Vulnerability Database > CVE-2024-3025

Mend.io Vulnerability Database

CVE-2024-3025

Good to know:

Date: April 10, 2024

mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted directory. This can lead to unauthorized reading or deletion of files by utilizing the `/api/system/upload-logo` and `/api/system/logo` endpoints. The issue stems from the lack of filtering or validation on the logo filename, allowing attackers to target sensitive files such as the application's database.

Language: JS

Severity Score

9.9

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3025

Url: https://github.com/mintplex-labs/anything-llm/commit/7de23dbb2da932fbfb39f56d981784d3702cf5ce

Url: https://huntr.com/bounties/fb09a352-1016-4481-ae88-7460e2b6062b

Url: https://www.mend.io/vulnerability-database/CVE-2024-3025

Severity Score

9.9

Weakness Type (CWE)

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version 7de23dbb2da932fbfb39f56d981784d3702cf5ce

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3025

Good to know:

Date: April 10, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?