Prisma Vulnerability Allows Escalation of Privileges to Administrator

CVE-2024-3150

Summary

A privilege escalation vulnerability exists in Anything LLM developed by Mintplex Labs, which is associated with a critical flaw in the thread update process. This flaw permits users with Default or Manager roles to gain Administrator privileges due to inadequate input validation during HTTP POST requests directed to the /workspace/:slug/thread/:threadSlug/update endpoint. The vulnerability allows malicious actors to manipulate the Prisma relation query operation intended for the workspace_thread model, enabling unauthorized changes to the users model to elevate their own user roles. This exploit results in attackers obtaining the highest levels of permissions within the application, granting them the ability to access and execute any action available within the system.

References