Vulnerabilities > CVE-2024-13060 - Unspecified vulnerability in Mintplexlabs Anythingllm Docker

CVSS 4.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

mintplexlabs

NVD

Published: 2025-03-20

Updated: 2025-04-01

Summary

A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.

Vulnerable Configurations

Part	Description	Count
Application	Mintplexlabs Mintplexlabs Anythingllm Docker - Mintplexlabs Anythingllm Docker 1.0.0 Mintplexlabs Anythingllm Docker 1.1.0 Mintplexlabs Anythingllm Docker 1.1.1 Mintplexlabs Anythingllm Docker 1.2.0 Mintplexlabs Anythingllm Docker 1.2.1 Mintplexlabs Anythingllm Docker 1.2.2 Mintplexlabs Anythingllm Docker 1.2.3 Mintplexlabs Anythingllm Docker 1.2.4	9

References

https://github.com/mintplex-labs/anything-llm/commit/696af19c45473172ad4d3ca749281800a4d1a45a
https://huntr.com/bounties/98a49c90-e095-441f-900c-59d463dc8e8f
https://huntr.com/bounties/98a49c90-e095-441f-900c-59d463dc8e8f