Description

A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.

INFO

Published Date :

2024-05-19T22:23:48.278Z

Last Modified :

2024-08-01T20:33:53.194Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-4284 vulnerability.

Vendors Products
Mintplexlabs
  • Anythingllm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-4284.

URL Resource
https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789 cve-icon cve-icon cve-icon
https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact