A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: @huntr_ai
Published: 2024-05-19T22:23:48.278Z
Updated: 2024-08-01T20:33:53.194Z
Reserved: 2024-04-26T23:07:28.737Z
Link: CVE-2024-4284
Vulnrichment
Updated: 2024-08-01T20:33:53.194Z
NVD
Status : Awaiting Analysis
Published: 2024-05-19T23:15:06.960
Modified: 2024-05-20T13:00:04.957
Link: CVE-2024-4284
Redhat
No data.