CVE-2024-0765

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-0765
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-0765.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-0765
Published
2024-03-03T15:15:07Z
Modified
2024-10-07T23:30:57Z
Summary
[none]
Details

As a default user on a multi-user instance of AnythingLLM, you could execute a call to the /export-data endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state.

This would require the attacked to be granted explicit access to the system, but they can do this at any role. Additionally, post-download, the data is deleted so no evidence would exist that the exfiltration occured.

References

Affected packages

Git / github.com/mintplex-labs/anything-llm

Affected ranges

Type
GIT
Repo
https://github.com/mintplex-labs/anything-llm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed