Vulnerabilities > Mintplexlabs
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-10-29 | CVE-2024-7783 | Cleartext Storage of Sensitive Information vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. | 7.5 |
2024-06-20 | CVE-2024-5213 | Exposure of Sensitive Information Through Metadata vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0/1.5.3 In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). | 6.5 |
2024-06-06 | CVE-2024-3149 | Server-Side Request Forgery (SSRF) vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. | 8.8 |
2024-06-06 | CVE-2024-3150 | Improper Handling of Exceptional Conditions vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. | 8.8 |
2024-06-06 | CVE-2024-3153 | Resource Exhaustion vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition. | 6.5 |
2024-06-06 | CVE-2024-3166 | Cross-site Scripting vulnerability in Mintplexlabs Anythingllm Desktop and Anythingllm Webapp A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. | 9.6 |
2024-06-06 | CVE-2024-3102 | Improper Restriction of Excessive Authentication Attempts vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. | 5.3 |
2024-06-06 | CVE-2024-3110 | Cross-site Scripting vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. | 8.7 |
2024-06-06 | CVE-2024-3033 | Incorrect Authorization vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. | 9.4 |
2024-06-06 | CVE-2024-3104 | OS Command Injection vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. | 9.8 |