Home > Vulnerability Database > CVE-2024-0550

Mend.io Vulnerability Database

CVE-2024-0550

Good to know:

Date: February 27, 2024

A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack.

Language: JS

Severity Score

9.6

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-0550

Url: https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6

Url: https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17

Url: https://www.mend.io/vulnerability-database/CVE-2024-0550

Severity Score

9.6

Weakness Type (CWE)

Relative Path Traversal

CWE-23

Top Fix

Upgrade Version

Upgrade to version e1dcd5ded010b03abd6aa32d1bf0668a48e38e17

Learn More

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-0550

Good to know:

Date: February 27, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?