CVE-2024-3029

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm (affected versions not specified)

Description The issue arises from improper input validation. An attacker can exploit this by sending a malformed JSON payload to the "/system/enable-multi-user" endpoint, triggering an error. This error is caught by a catch block, which then deletes all users and disables the 'multi user mode'. As a result, an attacker can remove all existing users and potentially create a new admin user without requiring a password, leading to unauthorized access and control over the application.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.