Product:

Anythingllm

(Mintplexlabs)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 27
Date Id Summary Products Score Patch Annotated
2024-02-28 CVE-2024-0550 A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack. Anythingllm 6.5
2024-03-03 CVE-2024-0765 As a default user on a multi-user instance of AnythingLLM, you could execute a call to the `/export-data` endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be granted explicit access to the system, but they can do this at any role. Additionally, post-download, the data is deleted so no evidence would exist that the exfiltration occured. Anythingllm 6.5
2023-09-11 CVE-2023-4897 Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Anythingllm 9.8
2023-10-30 CVE-2023-5832 Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0. Anythingllm 9.1
2023-10-30 CVE-2023-5833 Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0. Anythingllm 8.8
2024-01-19 CVE-2024-22422 AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting. In versions prior to commit `08d33cfd8` an unauthenticated API route (file export) can allow attacker to crash the server resulting in a denial of service attack. The “data-export” endpoint is used to export files using the filename parameter as user input. The endpoint takes the user input, filters it to avoid directory traversal attacks,... Anythingllm 7.5
2024-06-05 CVE-2024-4084 A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172, 10, and 127 through regular expressions and limit access protocols to HTTP and HTTPS, attackers can still bypass these restrictions using alternative representations of IP addresses and accessing... Anythingllm 7.5
2024-06-06 CVE-2024-3033 An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specific namespaces, without requiring any authorization or permissions. The issue affects all versions up to and including the latest version, with a fix introduced in version 1.0.0. Exploitation of this... Anythingllm 9.4
2024-06-06 CVE-2024-3104 A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can exploit this vulnerability by injecting arbitrary environment variables via the `POST /api/system/update-env` endpoint, which allows for the execution of arbitrary code on the host running anything-llm. The vulnerability is present in the latest version of anything-llm, with the latest commit identified as fde905aac1812b84066ff72e5f2f90b56d4c3a59. This... Anythingllm 9.8
2024-06-06 CVE-2024-3152 mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform Server-Side Request Forgery (SSRF) attacks. The vulnerabilities are present in the `/request-token`, `/workspace/:slug/thread/:threadSlug/update`, `/system/remove-logo`, `/system/logo`, and collector's... Anythingllm 8.8