Product:

Anythingllm

(Mintplexlabs)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 27
Date Id Summary Products Score Patch Annotated
2024-02-26 CVE-2024-0798 A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and... Anythingllm 6.5
2024-02-26 CVE-2024-0435 User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Given the minimum requirement for a user to send a chat is to be given access to a workspace via an admin the risk is low. Additionally, the location in which the XSS renders is only limited to the user who submits the XSS. Ultimately, this attack is limited to the user attacking themselves. There is no anonymous chat submission unless the user does not take the... Anythingllm 5.4
2024-03-02 CVE-2024-0795 If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instance Anythingllm 7.2
2024-02-28 CVE-2024-0550 A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack. Anythingllm 6.5
2024-03-03 CVE-2024-0765 As a default user on a multi-user instance of AnythingLLM, you could execute a call to the `/export-data` endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be granted explicit access to the system, but they can do this at any role. Additionally, post-download, the data is deleted so no evidence would exist that the exfiltration occured. Anythingllm 6.5
2023-09-11 CVE-2023-4897 Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Anythingllm 9.8
2023-10-30 CVE-2023-5832 Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0. Anythingllm 9.1
2023-10-30 CVE-2023-5833 Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0. Anythingllm 8.8
2024-01-19 CVE-2024-22422 AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting. In versions prior to commit `08d33cfd8` an unauthenticated API route (file export) can allow attacker to crash the server resulting in a denial of service attack. The “data-export” endpoint is used to export files using the filename parameter as user input. The endpoint takes the user input, filters it to avoid directory traversal attacks,... Anythingllm 7.5
2024-06-05 CVE-2024-4084 A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass the official fix intended to restrict access to intranet IP addresses and protocols. Despite efforts to filter out intranet IP addresses starting with 192, 172, 10, and 127 through regular expressions and limit access protocols to HTTP and HTTPS, attackers can still bypass these restrictions using alternative representations of IP addresses and accessing... Anythingllm 7.5