CVE-2024-7783

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm versions prior to 1.0.3

Description The issue concerns the improper storage of sensitive information, specifically a password, within a JSON Web Token (JWT) used as a bearer token in single user mode. When decoded, the JWT reveals the password in plaintext, posing significant security risks. An attacker who gains access to the JWT can easily decode it and retrieve the password.

Recommendations For versions prior to 1.0.3, update to version 1.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the JWT to minimize the risk of exploitation. Avoid using the password variable in the affected JWT until the issue is resolved.