High Severity

anything-llm

Privilege Escalation via Thread Update

A vulnerability in mintplex-labs/anything-llm allows users with Default or Manager roles to escalate their privileges to Administrator by exploiting a bug in the thread update process. This issue affects the latest version of the software and was patched in version 1.0.0.

Available publicly on May 16 2024

8.1

CVE:

CVE-2024-3150

CWE:

20:Improper Input Validation

CVSS:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Credit:

noizybit
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure your application is updated to version 1.0.0 or later.
  • Implement strict input validation on all endpoints, especially those modifying user roles or permissions.
  • Regularly audit your codebase for security vulnerabilities, particularly in areas where user input is handled.
  • Consider using a web application firewall (WAF) to detect and block malicious requests.
  • Educate users with access to sensitive functionalities about the importance of secure practices.
Patch Details
  • Fixed Version: 1.0.0
  • Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/200bd7f0615347ed2efc07903d510e5a208b0afc
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 291 related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon