CVE-2024-4287

In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to `/api/workspace/:workspace-slug/update`, allowing it to be executed as part of a database query without restrictions. This flaw enables users with a manager role to craft a request that includes nested write operations, effectively allowing them to create new Administrator accounts.
Configurations

Configuration 1 (hide)

cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*

History

10 Jul 2025, 17:19

Type Values Removed Values Added
CPE cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
References () https://github.com/mintplex-labs/anything-llm/commit/94b58249a37a21b1c08deaa2d1edfdecbb6deb18 - () https://github.com/mintplex-labs/anything-llm/commit/94b58249a37a21b1c08deaa2d1edfdecbb6deb18 - Patch
References () https://huntr.com/bounties/34491fb7-5133-4e80-8782-74124350bbdb - () https://huntr.com/bounties/34491fb7-5133-4e80-8782-74124350bbdb - Exploit, Third Party Advisory
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : 8.1
v2 : unknown
v3 : 7.2
First Time Mintplexlabs
Mintplexlabs anythingllm

21 Nov 2024, 09:42

Type Values Removed Values Added
References () https://github.com/mintplex-labs/anything-llm/commit/94b58249a37a21b1c08deaa2d1edfdecbb6deb18 - () https://github.com/mintplex-labs/anything-llm/commit/94b58249a37a21b1c08deaa2d1edfdecbb6deb18 -
References () https://huntr.com/bounties/34491fb7-5133-4e80-8782-74124350bbdb - () https://huntr.com/bounties/34491fb7-5133-4e80-8782-74124350bbdb -
Summary
  • (es) En mintplex-labs/anything-llm, existe una vulnerabilidad debido a una validación de entrada incorrecta en el proceso de actualización del espacio de trabajo. Específicamente, la aplicación no puede validar ni formatear los datos JSON enviados en una solicitud HTTP POST a `/api/workspace/:workspace-slug/update`, lo que permite que se ejecute como parte de una consulta de base de datos sin restricciones. Esta falla permite a los usuarios con rol de administrador crear una solicitud que incluya operaciones de escritura anidadas, lo que les permite crear nuevas cuentas de administrador.

20 May 2024, 15:17

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-20 13:15

Updated : 2025-07-10 17:19


NVD link : CVE-2024-4287

Mitre link : CVE-2024-4287

CVE.ORG link : CVE-2024-4287


JSON object : View

Products Affected

mintplexlabs

  • anythingllm
CWE
CWE-20

Improper Input Validation

NVD-CWE-noinfo