Manager Role Exploitation for Administrator Account Creation
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to create new Administrator accounts due to improper input validation in the workspace update process. This issue affects the latest version of the software and was patched in version 0.0.0.
Available publicly on May 20 2024 | Available with Premium on Apr 26 2024
Threat Overview
The core of the vulnerability lies in the lack of input validation and formatting when updating workspace settings via an HTTP POST request to /api/workspace/:workspace-slug/update
. By exploiting Prisma's nested write capabilities, attackers can manipulate the request data to execute unintended database queries, allowing the creation of new Administrator accounts. This flaw exposes the application to unauthorized actions and potential admin account takeover.
Attack Scenario
An attacker with manager-level access to the application can exploit this vulnerability by crafting a malicious HTTP POST request containing nested JSON data designed to create a new Administrator account. This is achieved by sending a modified request to the workspace update endpoint, which includes additional parameters for creating a new user with admin privileges. The attacker can then log in with the newly created admin account to perform unauthorized actions.
Who is affected
This vulnerability primarily affects applications running the affected version of mintplex-labs/anything-llm. Specifically, it impacts organizations and users who rely on the role-based access control mechanisms of the software to segregate duties and limit access to sensitive functionalities. Both the integrity of the application and the security of its data are at risk.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.