Timothy Carambat

41 exploits Active since Sep 2023
CVE-2024-0795 WRITEUP HIGH WRITEUP
AnythingLLM < 1.0.0 - Authenticated Privilege Escalation via User Creation
If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instance
CVSS 7.2
CVE-2024-0798 WRITEUP MEDIUM WRITEUP
mintplex-labs/anything-llm - Privilege Escalation
A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity.
CVSS 6.5
CVE-2024-13060 WRITEUP MEDIUM WRITEUP
AnythingLLM Docker <1.3.1 - Info Disclosure
A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.
CVSS 4.3
CVE-2024-3101 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm - Privilege Escalation
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access.
CVSS 7.2
CVE-2024-3149 WRITEUP HIGH WRITEUP
AnythingLLM Upload Link - Manager Server-Side Request Forgery
A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. This feature, intended for users with manager or admin roles, processes uploaded links through an internal Collector API using a headless browser. An attacker can exploit this by hosting a malicious website and using it to perform actions such as internal port scanning, accessing internal web applications not exposed externally, and interacting with the Collector API. This interaction can lead to unauthorized actions such as arbitrary file deletion and limited Local File Inclusion (LFI), including accessing NGINX access logs which may contain sensitive information.
CVSS 8.8
CVE-2024-3153 WRITEUP MEDIUM WRITEUP
AnythingLLM < 1.0.0 - Denial of Service via Invalid Upload Request
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition. Specifically, the server can be shut down by sending an invalid upload request. An attacker with the ability to upload documents can exploit this vulnerability to cause a DOS condition by manipulating the upload request.
CVSS 6.5
CVE-2024-3166 WRITEUP CRITICAL WRITEUP
AnythingLLM Desktop < 1.4.2 - Stored Cross-Site Scripting and Remote Code Execution via Website Content Embedding
A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, specifically the enabling of 'nodeIntegration' and the disabling of 'contextIsolation' in Electron's webPreferences. The issue has been addressed in version 1.4.2 of the desktop application.
CVSS 9.6
CVE-2024-3283 WRITEUP HIGH WRITEUP
AnythingLLM < 1.0.0 - Authenticated Privilege Escalation via Mass Assignment in Admin System Preferences
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enabling them to access the '/api/system/enable-multi-user' endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.
CVSS 7.2
CVE-2024-3569 WRITEUP HIGH WRITEUP
AnythingLLM < 1.0.0 - Denial of Service via Crafted Authorization Header
A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me' mode with a password. An attacker can exploit this vulnerability by making a request to the endpoint using the [validatedRequest] middleware with a specially crafted 'Authorization:' header. This vulnerability leads to uncontrolled resource consumption, causing a DoS condition.
CVSS 7.5
CVE-2024-3570 WRITEUP MEDIUM WRITEUP
AnythingLLM < 1.0.0 - Stored Cross-Site Scripting via ChatBot Response Manipulation
A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to perform actions on behalf of the user, such as creating a new admin account or changing the user's password, leading to a complete takeover of the AnythingLLM application. The vulnerability stems from the improper sanitization of user and ChatBot input, specifically through the use of `dangerouslySetInnerHTML`. Successful exploitation requires convincing an admin to add a malicious LocalAI ChatBot to their AnythingLLM instance.
CVSS 5.4
CVE-2024-4284 WRITEUP MEDIUM WRITEUP
AnythingLLM < 1.0.0 - Authenticated Denial of Service via User ID Modification
A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.
CVSS 4.9
CVE-2024-4286 WRITEUP MEDIUM WRITEUP
Mintplex-Labs' anything-llm - Info Disclosure
Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user modifications by managers or admins, allowing for the modification of all existing attributes of the `user` database entity without proper checks or sanitization. This flaw can be exploited to delete user threads, denying users access to their previously submitted data, or to inject fake threads and/or chat history for social engineering attacks.
CVSS 4.9
CVE-2024-4287 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm - Privilege Escalation
In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to `/api/workspace/:workspace-slug/update`, allowing it to be executed as part of a database query without restrictions. This flaw enables users with a manager role to craft a request that includes nested write operations, effectively allowing them to create new Administrator accounts.
CVSS 7.2
CVE-2024-6842 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm <1.5.5 - Info Disclosure
In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.
CVSS 7.5
CVE-2024-7783 WRITEUP HIGH WRITEUP
AnythingLLM < 1.2.1 - Cleartext Storage of Sensitive Information in JWT Bearer Token
mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks, as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.
CVSS 7.5
CVE-2026-21484 WRITEUP MEDIUM WRITEUP
AnythingLLM <e287fab56089cf8fcea9ba579a3ecdeca0daa313 - Info Disclo...
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
CVSS 5.3