Vulnerabilities > Mintplexlabs > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-06-20 | CVE-2024-5213 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0/1.5.3 In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). | 6.5 |
| 2024-06-06 | CVE-2024-3153 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition. | 6.5 |
| 2024-06-06 | CVE-2024-3102 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. | 5.3 |
| 2024-03-03 | CVE-2024-0765 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 As a default user on a multi-user instance of AnythingLLM, you could execute a call to the `/export-data` endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be granted explicit access to the system, but they can do this at any role. | 6.5 |
| 2024-02-28 | CVE-2024-0550 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack. | 6.5 |
| 2024-01-25 | CVE-2024-0879 | Unspecified vulnerability in Mintplexlabs Vector Admin Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address. | 4.3 |