CVE-2024-0795

Опубликовано: 02 мар. 2024

Источник: nvd

CVSS3: 7.2

EPSS Низкий

Описание

If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an admin role and then be able to use this new account to have elevated privileges on the instance

Ссылки

https://github.com/mintplex-labs/anything-llm/commit/9a237db3d1f66cdbcf5079599258f5fb251c5564
Patch
https://huntr.com/bounties/f69e3307-7b44-4776-ac60-2990990723ec
Exploit
Third Party Advisory
https://github.com/mintplex-labs/anything-llm/commit/9a237db3d1f66cdbcf5079599258f5fb251c5564
Patch
https://huntr.com/bounties/f69e3307-7b44-4776-ac60-2990990723ec
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

Версия до 1.0.0 (исключая)

EPSS

Процентиль: 61%

0.0041

Низкий

7.2 High

CVSS3

7.2 High

CVSS3

Дефекты

CWE-284

Связанные уязвимости

GHSA-78cj-mhpr-2qfm

CVSS3: 7.2

github

почти 2 года назад

If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instance

EPSS

Процентиль: 61%

0.0041

Низкий

7.2 High

CVSS3

7.2 High

CVSS3

Дефекты

CWE-284