CVE-2024-10513

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm versions prior to 1.2.2

Description A path traversal vulnerability exists in the 'document uploads manager' feature, allowing users with the 'manager' role to access and manipulate the 'anythingllm.db' database file. By exploiting the vulnerable endpoint "/api/document/move-files", an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss.

Recommendations For versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/document/move-files" endpoint until a patch is available. Restrict the 'manager' role to minimize the risk of exploitation.