Vulnerabilities > Mintplexlabs

DATE CVE VULNERABILITY TITLE RISK
2024-10-29 CVE-2024-7783 Cleartext Storage of Sensitive Information vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0
mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode.
network
low complexity
mintplexlabs CWE-312
7.5
2024-06-20 CVE-2024-5213 Exposure of Sensitive Information Through Metadata vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0/1.5.3
In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`).
network
low complexity
mintplexlabs CWE-1230
6.5
2024-06-06 CVE-2024-3149 Server-Side Request Forgery (SSRF) vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0
A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm.
network
low complexity
mintplexlabs CWE-918
8.8
2024-06-06 CVE-2024-3150 Improper Handling of Exceptional Conditions vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0
In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator.
network
low complexity
mintplexlabs CWE-755
8.8
2024-06-06 CVE-2024-3153 Resource Exhaustion vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition.
network
low complexity
mintplexlabs CWE-400
6.5
2024-06-06 CVE-2024-3166 Cross-site Scripting vulnerability in Mintplexlabs Anythingllm Desktop and Anythingllm Webapp
A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application.
network
low complexity
mintplexlabs CWE-79
critical
9.6
2024-06-06 CVE-2024-3102 Improper Restriction of Excessive Authentication Attempts vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0
A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint.
network
low complexity
mintplexlabs CWE-307
5.3
2024-06-06 CVE-2024-3110 Cross-site Scripting vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0
A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0.
network
low complexity
mintplexlabs CWE-79
8.7
2024-06-06 CVE-2024-3033 Incorrect Authorization vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0
An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes.
network
low complexity
mintplexlabs CWE-863
critical
9.4
2024-06-06 CVE-2024-3104 OS Command Injection vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables.
network
low complexity
mintplexlabs CWE-78
critical
9.8