CVE-2024-4284

MEDIUM

mintplex-labs/anything-llm - DoS

Title source: llm

Description

A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.

References (2)

Core 2

Core References

Patch

https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552

Scores

CVSS v3 4.9

EPSS 0.0014

EPSS Percentile 33.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-400

Status published

Products (1)

mintplexlabs/anythingllm < 1.0.0

Published May 19, 2024

Tracked Since Feb 18, 2026