ГлавнаяУязвимости → CVE-2024-6842
7.5высокая

CVE-2024-6842

Описание

In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

Затрагиваемое ПО
Mintplexlabs Anythingllm
CVSS
Балл7.5 — высокая
ВекторCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Источники
https://github.com/mintplex-labs/anything-llm/commit/8b1ceb30c159cf3a10efa16275bc6849d84e4ea8https://huntr.com/bounties/cd911fc7-ac6b-4974-acd0-9cc926fa8d9e