Home > Vulnerability Database > CVE-2024-3152

Mend.io Vulnerability Database

CVE-2024-3152

Good to know:

Date: June 6, 2024

mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can exploit these vulnerabilities to escalate privileges from a default user role to an admin role, read and delete arbitrary files on the system, and perform Server-Side Request Forgery (SSRF) attacks. The vulnerabilities are present in the `/request-token`, `/workspace/:slug/thread/:threadSlug/update`, `/system/remove-logo`, `/system/logo`, and collector's `/process` endpoints. These issues are due to the application's failure to properly validate user input before passing it to `prisma` functions and other critical operations. Affected versions include the latest version prior to 1.0.0.

Language: JS

Severity Score

8.8

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3152

Url: https://github.com/mintplex-labs/anything-llm/commit/200bd7f0615347ed2efc07903d510e5a208b0afc

Url: https://huntr.com/bounties/46034fa0-d623-49f8-8ee8-390390181373

Url: https://www.mend.io/vulnerability-database/CVE-2024-3152

Severity Score

8.8

Weakness Type (CWE)

Input Validation

CWE-20

Improper Handling of Exceptional Conditions

CWE-755

Top Fix

Upgrade Version

Upgrade to version 200bd7f0615347ed2efc07903d510e5a208b0afc

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3152

Good to know:

Date: June 6, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?