Manager Role Exploitation for Administrator Account Creation
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to create new Administrator accounts due to improper input validation in the workspace update process. This issue affects the latest version of the software and was patched in version 0.0.0.
Available publicly on May 20 2024 | Available with Premium on Apr 26 2024
Remediation Steps
- Update to the patched version (0.0.0) of the software.
- Implement input validation and sanitization for all user-supplied data, especially when dealing with nested JSON objects.
- Review and restrict nested write capabilities in Prisma to prevent unintended database modifications.
- Conduct a thorough security audit of the application to identify and remediate similar vulnerabilities.
- Regularly review and update role-based access control policies to ensure they are enforced as intended.
Patch Details
- Fixed Version: 0.0.0
- Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/94b58249a37a21b1c08deaa2d1edfdecbb6deb18
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.