Unauthorized Administrative Access via Improper Input Validation Vulnerability
CVE-2024-3101
7.2HIGH
What is CVE-2024-3101?
An improper input validation flaw in Anything-LLM enables attackers to escalate privileges by disabling the 'Multi-User Mode'. By crafting a malicious curl request with the 'multi_user_mode' parameter set to false, attackers can deactivate this mode. This manipulation permits the creation of a new admin user without a password, resulting in unauthorized administrative access to the application.
Affected Version(s)
mintplex-labs/anything-llm < 1.0.0