CVE-2024-6842

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm version 1.5.5

Description The issue allows unauthorized users to access sensitive system settings through the "/setup-complete" API endpoint. The data returned by the currentSettings function includes sensitive information, such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.

Recommendations For version 1.5.5, consider disabling access to the "/setup-complete" API endpoint until a patch is available to prevent unauthorized access to sensitive system settings. Restrict the use of the currentSettings function to authorized users only to minimize the risk of exploitation.

Exploit

Fix

Missing Authentication

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-200

Related Identifiers

CVE-2024-6842

Affected Products

Anything-Llm

CVE-2024-6842

Weakness Enumeration

Related Identifiers

Affected Products

References · 6