CVE-2024-4287

Name of the Vulnerable Software and Affected Versions anything-llm (affected versions not specified)

Description A vulnerability exists in the workspace update process due to improper input validation. The application fails to validate or format JSON data sent in an HTTP POST request to "/api/workspace/:workspace-slug/update", allowing it to be executed as part of a database query without restrictions. This enables users with a manager role to craft a request that includes nested write operations, effectively allowing them to create new Administrator accounts.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.