CVE-2024-0550

MEDIUM

AnythingLLM < 1.0.0 - Authenticated Relative Path Traversal via Profile Picture API

Title source: llm

Description

A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack.

References (2)

Core 2

Core References

Patch

https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17

View Patch ZIP pw:eip

Exploit, Issue Tracking, Patch, Third Party Advisory

https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6

Scores

CVSS v3 6.5

EPSS 0.0072

EPSS Percentile 48.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-23

Status published

Products (1)

mintplexlabs/anythingllm < 1.0.0

Published Feb 28, 2024

Tracked Since Feb 18, 2026