CVE-2024-3028

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm (affected versions not specified)

Description The issue is due to improper input validation, allowing attackers to read and delete arbitrary files on the server. By manipulating the logo filename parameter in the "system-preferences" API endpoint, an attacker can construct requests to read sensitive files or the application's '.env' file, and even delete files by setting the logo filename to the path of the target file and invoking the "remove-logo" API endpoint. This is a result of the lack of proper sanitization of user-supplied input.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.