CVE-2024-10513
HIGHMintplexlabs Anythingllm < 1.2.2 - Path Traversal
Title source: ruleDescription
A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the 'manager' role to access and manipulate the 'anythingllm.db' database file. By exploiting the vulnerable endpoint '/api/document/move-files', an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss.
Scores
CVSS v3
7.2
EPSS
0.0027
EPSS Percentile
50.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-22
CWE-23
Status
published
Affected Products (1)
mintplexlabs/anythingllm
< 1.2.2
Timeline
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026