CVE-2024-0798

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm (affected versions not specified)

Description A privilege escalation issue exists, allowing users with the default role to delete documents uploaded by the admin. This is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity. An attacker can exploit this by sending a crafted DELETE request to the "/api/system/remove-document" endpoint.

Recommendations For mintplex-labs/anything-llm, consider disabling the remove-document functionality for users with the default role until a patch is available. Restrict access to the "/api/system/remove-document" endpoint to minimize the risk of exploitation. Avoid using the remove-folder and remove-document endpoints for sensitive data until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.