CVE-2024-0439 HIGH

CVE-2024-0439: User can manually send request at manager permission to modify system configurations

Vendor Mintplex-Labs
Product mintplex-labs/anything-llm
Weakness CWE-269
Published February 25, 2024
Last update August 21, 2024

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request While this is not a critical vulnerability, it does indeed need to be patched to enforce the expected permission level.

Key dates

02Disclosure timeline

February 25, 2024 CVE published
August 21, 2024 Record updated

Related vulnerabilities

04Related CVE