Vulnerability in mintplex-labs anything-llm Allows for Easy Creation of New Administrator Accounts
CVE-2024-4287

7.2HIGH

Key Information:

Vendor
CVE Published:
20 May 2024

What is CVE-2024-4287?

An issue has been identified in Mintplex Labs' Anything-LLM where improper input validation during the workspace update process allows for manipulation of JSON data. This vulnerability occurs during an HTTP POST request to the endpoint /api/workspace/:workspace-slug/update, where the system fails to properly validate or format the incoming JSON. As a result, users with managerial privileges can execute crafted requests that perform nested write operations, enabling them to create unauthorized Administrator accounts without proper authentication or authorization checks.

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.