CVE-2024-3283

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm (affected versions not specified)

Description A mass assignment issue allows users with manager roles to escalate their privileges to admin roles. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the multi user mode system variable, enabling them to access the '/api/system/enable-multi-user' endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.