A vulnerability in mintplex-labs/anything-llm allows for...
Moderate severity
Unreviewed
Published
May 20, 2024
to the GitHub Advisory Database
•
Updated May 20, 2024
Description
Published by the National Vulnerability Database
May 19, 2024
Published to the GitHub Advisory Database
May 20, 2024
Last updated
May 20, 2024
A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's
id
attribute to a value of 0. This issue affects the current version of the software, with the latest commit id57984fa85c31988b2eff429adfc654c46e0c342a
. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.References