
We found results for “”
CVE-2024-6842
Date: March 20, 2025
In version 1.5.5 of mintplex-labs/anything-llm, the "/setup-complete" API endpoint allows unauthorized users to access sensitive system settings. The data returned by the "currentSettings" function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.
Severity Score
Severity Score
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200CVSS v3.1
Base Score: |
|
---|---|
Attack Vector (AV): | NETWORK |
Attack Complexity (AC): | LOW |
Privileges Required (PR): | NONE |
User Interaction (UI): | NONE |
Scope (S): | UNCHANGED |
Confidentiality (C): | HIGH |
Integrity (I): | NONE |
Availability (A): | NONE |