CVE-2024-3028 – mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers …

16 April 2024

Vuln ID: CVE-2024-3028

Published: 2024-04-16 00:15:11.667

Description: mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the ‘logo_filename’ parameter in the ‘system-preferences’ API endpoint, an attacker can construct requests to read sensitive files or the application’s ‘.env’ file, and even delete files by setting the ‘logo_filename’ to the path of the target file and invoking the ‘remove-logo’ API endpoint. This vulnerability is due to the lack of proper sanitization of user-supplied input.

Base Score: –

Vector:

Source: NVD.NIST.GOV

Date:

16 April 2024

Categorie(s):

NVD

Tag(s):

NVD

What to know about AI at this year’s RSA Conference29 April 2024
Atos: French State Offers Non-Binding Intent to Acquire Cybersecurity and Computing Assets29 April 2024
Stop Managing Identities, Segment them Instead29 April 2024
Elastic VP Chris Townsend Says Data Transformation Critical to Improved Government Services29 April 2024
Study Reveals Alarming Levels of USPS Phishing Traffic29 April 2024