exploitDog

CVE-2024-10366

Опубликовано: 20 мар. 2025

Источник: nvd

CVSS3: 7.6

CVSS3: 6.5

EPSS Низкий

Описание

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.

Ссылки

https://github.com/danny-avila/librechat/commit/a350443661d001ac55787741969a75d94ca14116
Patch
https://huntr.com/bounties/cde47cf8-dc81-46ab-b472-f7e44a981a7e
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:librechat:librechat:0.7.5:rc2:*:*:*:*:*:*

EPSS

Процентиль: 21%

0.00068

Низкий

7.6 High

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-639

CWE-639

Связанные уязвимости

GHSA-h5p2-273c-rxjp

CVSS3: 7.6

github

11 месяцев назад

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.

EPSS

Процентиль: 21%

0.00068

Низкий

7.6 High

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-639

CWE-639