8.0
CVE-2024-3029 - Improper Input Validation in mintplex-labs/anything-llm
In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/system/enable-multi-user' endpoint. This triggers an error that is caught by a catch block, which in turn deletes all users and disables the 'multi_user_mode'. The vulnerabiβ¦
7.5
CVE-2024-1558 - Path Traversal Vulnerability in mlflow/mlflow
A path traversal vulnerability exists in the `_create_model_version()` function within `server/handlers.py` of the mlflow/mlflow repository, due to improper validation of the `source` parameter. Attackers can exploit this vulnerability by crafting a `source` parameter that bypasses the `_validate_nβ¦
0.0
CVE-2024-1665 -
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
7.5
CVE-2024-1594 - Local File Read via Path Traversal in mlflow/mlflow
A path traversal vulnerability exists in the mlflow/mlflow repository, specifically within the handling of the `artifact_location` parameter when creating an experiment. Attackers can exploit this vulnerability by using a fragment component `#` in the artifact location URI to read arbitrary files oβ¦
7.5
CVE-2024-3572 - XML External Entity (XXE) Vulnerability in scrapy/scrapy
The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, β¦
8.1
CVE-2024-1626 - IDOR Vulnerability in lunary-ai/lunary
An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary repository, version 0.3.0, within the project update endpoint. The vulnerability allows authenticated users to modify the name of any project within the system without proper authorization checks, by directly reβ¦
7.5
CVE-2024-1738 - Incorrect Authorization in lunary-ai/lunary
An incorrect authorization vulnerability exists in the lunary-ai/lunary repository, specifically within the evaluations.get route in the evaluations API endpoint. This vulnerability allows unauthorized users to retrieve the results of any organization's evaluation by simply knowing the evaluation Iβ¦
6.5
CVE-2024-1183 - SSRF Vulnerability in gradio-app/gradio
An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the preβ¦
9.8
CVE-2024-1601 - SQL Injection in parisneo/lollms-webui
An SQL injection vulnerability exists in the `delete_discussion()` function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to the `/delete_discussion` endpoint, which internaβ¦
8.2
CVE-2024-1646 - Authentication Bypass in parisneo/lollms-webui
parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface, allowing unauthorized acβ¦