Home > Vulnerability Database > CVE-2024-3029

Mend.io Vulnerability Database

CVE-2024-3029

Good to know:

Date: April 15, 2024

In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the 'multi_user_mode'. The vulnerability allows an attacker to remove all existing users and potentially create a new admin user without requiring a password, leading to unauthorized access and control over the application.

Language: JS

Severity Score

9.0

Related Resources (4)

Url: https://huntr.com/bounties/7189a7a0-9830-459d-b853-bdc2559999a0

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3029

Url: https://github.com/mintplex-labs/anything-llm/commit/99cfee1e7025fe9a0919a4d506ba1e1b819f6073

Url: https://www.mend.io/vulnerability-database/CVE-2024-3029

Severity Score

9.0

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version 99cfee1e7025fe9a0919a4d506ba1e1b819f6073

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3029

Good to know:

Date: April 15, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?