CVE-2024-4284
published 2024-05-19CVE-2024-4284: A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of…
PriorityP423medium4.9CVSS 3.0
AVNACLPRHUINSUCNINAH
EPSS
0.56%
42.3th percentile
A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mintplex-labs | mintplex-labs_anything-llm | >= unspecified < 1.0.0 | 1.0.0 |
| mintplexlabs | anythingllm | < 1.0.0 | 1.0.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552
2024-05-19
Published