U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Change Records for CVE-2024-4284

Change History

New CVE Received from huntr.dev 5/19/2024 7:15:06 PM

Action Type Old Value New Value
Added Description

								
							
							
						
A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.
Added CVSS V3

								
							
							
						
huntr.dev AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Added CWE

								
							
							
						
huntr.dev CWE-400
Added Reference

								
							
							
						
huntr.dev https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789 [No types assigned]
Added Reference

								
							
							
						
huntr.dev https://huntr.com/bounties/a5f45596-0aef-49e0-9f7d-63f1955a1552 [No types assigned]