Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-3152

Date: June 6, 2024

mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform Server-Side Request Forgery (SSRF) attacks. The vulnerabilities are present in the "/request-token", "/workspace/:slug/thread/:threadSlug/update", "/system/remove-logo", "/system/logo", and collector's "/process" endpoints. These issues are due to the application's failure to properly validate user input before passing it to "prisma" functions and other critical operations. Affected versions include the latest version prior to 1.0.0.

Language: JS

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2024-3152
https://github.com/mintplex-labs/anything-llm/commit/200bd7f0615347ed2efc07903d510e5a208b0afc
https://huntr.com/bounties/46034fa0-d623-49f8-8ee8-390390181373
https://www.mend.io/vulnerability-database/CVE-2024-3152

Severity Score

Weakness Type (CWE)

Improper Input Validation

CWE-20

Server-Side Request Forgery (SSRF)

CWE-918

Improper Handling of Exceptional Conditions

CWE-755

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

Do you need more information?

Contact Us