Home > Vulnerability Database > CVE-2024-4284

Mend.io Vulnerability Database

CVE-2024-4284

Good to know:

Date: May 19, 2024

A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.

Language: JS

Severity Score

4.9

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-4284

Url: https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552

Url: https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789

Url: https://www.mend.io/vulnerability-database/CVE-2024-4284

Severity Score

4.9

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Top Fix

Upgrade Version

Upgrade to version 1b35bcbeab10b77e6dbd263cceecf1b965a40789

Learn More

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-4284

Good to know:

Date: May 19, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?