CVE-2024-0765

Name of the Vulnerable Software and Affected Versions AnythingLLM (affected versions not specified)

Description The issue allows a default user on a multi-user instance to execute a call to the "/export-data" endpoint, enabling them to exfiltrate data of the system at that save state. This requires explicit access to the system, which can be granted at any role. After the data is downloaded, it is deleted, leaving no evidence of the exfiltration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.