Anythingllm
Source repositories
CVEs (69)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-3104 | 0.00 | — | 0.01 | Jun 6, 2024 | A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the `POST /api/system/update-env` endpoint, which allows for… | |||
| CVE-2024-3033 | 0.00 | — | 0.01 | Jun 6, 2024 | An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database… | |||
| CVE-2024-3152 | 0.00 | — | 0.01 | Jun 6, 2024 | mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the… | |||
| CVE-2024-4084 | 0.00 | — | 0.00 | Jun 5, 2024 | A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses… | |||
| CVE-2024-4287 | 0.00 | — | 0.01 | May 20, 2024 | In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to `/api/workspace/:workspace-slug/update`, allowing it to be… | |||
| CVE-2024-4284 | 0.00 | — | 0.01 | May 19, 2024 | A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id… | |||
| CVE-2024-2913 | 0.00 | — | 0.00 | May 6, 2024 | A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of… | |||
| CVE-2024-3029 | 0.00 | — | 0.01 | Apr 16, 2024 | In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the… | |||
| CVE-2024-0549 | 0.00 | — | 0.01 | Apr 16, 2024 | mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from… | |||
| CVE-2024-3028 | 0.00 | — | 0.01 | Apr 16, 2024 | mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read… | |||
| CVE-2024-0404 | 0.00 | — | 0.01 | Apr 16, 2024 | A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an… | |||
| CVE-2024-3570 | 0.00 | — | 0.00 | Apr 10, 2024 | A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject… | |||
| CVE-2024-3101 | 0.00 | — | 0.01 | Apr 10, 2024 | In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate… | |||
| CVE-2024-3283 | 0.00 | — | 0.01 | Apr 10, 2024 | A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode'… | |||
| CVE-2024-3569 | 0.00 | — | 0.01 | Apr 10, 2024 | A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware… | |||
| CVE-2024-3025 | 0.00 | — | 0.01 | Apr 10, 2024 | mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted… | |||
| CVE-2024-0765 | 0.00 | — | 0.01 | Mar 3, 2024 | As a default user on a multi-user instance of AnythingLLM, you could execute a call to the `/export-data` endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be… | |||
| CVE-2024-0795 | 0.00 | — | 0.01 | Mar 2, 2024 | If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instance | |||
| CVE-2024-0763 | 0.00 | — | 0.01 | Feb 27, 2024 | Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization. | |||
| CVE-2024-0759 | 0.00 | — | 0.01 | Feb 27, 2024 | Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require… |
- CVE-2024-3104Jun 6, 2024risk 0.00cvss —epss 0.01
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the `POST /api/system/update-env` endpoint, which allows for…
- CVE-2024-3033Jun 6, 2024risk 0.00cvss —epss 0.01
An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database…
- CVE-2024-3152Jun 6, 2024risk 0.00cvss —epss 0.01
mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the…
- CVE-2024-4084Jun 5, 2024risk 0.00cvss —epss 0.00
A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses…
- CVE-2024-4287May 20, 2024risk 0.00cvss —epss 0.01
In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to `/api/workspace/:workspace-slug/update`, allowing it to be…
- CVE-2024-4284May 19, 2024risk 0.00cvss —epss 0.01
A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id…
- CVE-2024-2913May 6, 2024risk 0.00cvss —epss 0.00
A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process. Attackers can exploit this vulnerability by sending multiple concurrent requests to accept a single user invite, allowing the creation of…
- CVE-2024-3029Apr 16, 2024risk 0.00cvss —epss 0.01
In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the…
- CVE-2024-0549Apr 16, 2024risk 0.00cvss —epss 0.01
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from…
- CVE-2024-3028Apr 16, 2024risk 0.00cvss —epss 0.01
mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the 'logo_filename' parameter in the 'system-preferences' API endpoint, an attacker can construct requests to read…
- CVE-2024-0404Apr 16, 2024risk 0.00cvss —epss 0.01
A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an…
- CVE-2024-3570Apr 10, 2024risk 0.00cvss —epss 0.00
A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject…
- CVE-2024-3101Apr 10, 2024risk 0.00cvss —epss 0.01
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate…
- CVE-2024-3283Apr 10, 2024risk 0.00cvss —epss 0.01
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode'…
- CVE-2024-3569Apr 10, 2024risk 0.00cvss —epss 0.01
A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware…
- CVE-2024-3025Apr 10, 2024risk 0.00cvss —epss 0.01
mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted…
- CVE-2024-0765Mar 3, 2024risk 0.00cvss —epss 0.01
As a default user on a multi-user instance of AnythingLLM, you could execute a call to the `/export-data` endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be…
- CVE-2024-0795Mar 2, 2024risk 0.00cvss —epss 0.01
If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instance
- CVE-2024-0763Feb 27, 2024risk 0.00cvss —epss 0.01
Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization.
- CVE-2024-0759Feb 27, 2024risk 0.00cvss —epss 0.01
Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require…
Page 3 of 4