VYPR

Vendor CVEs

Mintplex Labs

All CVEs

70 total · sorted by risk
  • CVE-2024-0404Apr 16, 2024
    risk 0.00cvss epss 0.01

    A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an…

  • CVE-2024-3570Apr 10, 2024
    risk 0.00cvss epss 0.00

    A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject…

  • CVE-2024-3101Apr 10, 2024
    risk 0.00cvss epss 0.01

    In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate…

  • CVE-2024-3283Apr 10, 2024
    risk 0.00cvss epss 0.01

    A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode'…

  • CVE-2024-3569Apr 10, 2024
    risk 0.00cvss epss 0.01

    A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware…

  • CVE-2024-3025Apr 10, 2024
    risk 0.00cvss epss 0.01

    mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted…

  • CVE-2024-0765Mar 3, 2024
    risk 0.00cvss epss 0.01

    As a default user on a multi-user instance of AnythingLLM, you could execute a call to the `/export-data` endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be…

  • CVE-2024-0795Mar 2, 2024
    risk 0.00cvss epss 0.01

    If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instance

  • CVE-2024-0763Feb 27, 2024
    risk 0.00cvss epss 0.01

    Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization.

  • CVE-2024-0759Feb 27, 2024
    risk 0.00cvss epss 0.01

    Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require…

  • CVE-2024-0440Feb 25, 2024
    risk 0.00cvss epss 0.01

    Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then introspect host files and other relatively stored files.

  • CVE-2024-0798Feb 25, 2024
    risk 0.00cvss epss 0.01

    A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can…

  • CVE-2024-0455Feb 25, 2024
    risk 0.00cvss epss 0.01

    The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ```…

  • CVE-2024-0879Jan 25, 2024
    risk 0.00cvss epss 0.00

    Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address.

  • CVE-2024-22422Jan 19, 2024
    risk 0.00cvss epss 0.01

    AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting. In versions prior to commit `08d33cfd8` an unauthenticated API route (file export) can allow attacker to crash the server…

  • CVE-2023-5833Oct 30, 2023
    risk 0.00cvss epss 0.01

    Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.

  • CVE-2023-5832Oct 30, 2023
    risk 0.00cvss epss 0.01

    Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.

  • CVE-2023-4899Sep 11, 2023
    risk 0.00cvss epss 0.01

    SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.

  • CVE-2023-4898Sep 11, 2023
    risk 0.00cvss epss 0.01

    Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.

  • CVE-2023-4897Sep 11, 2023
    risk 0.00cvss epss 0.01

    Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.

Page 2 of 2