CVE-2024-0798 · CVEKit

cve.orgen

534 chars

A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity.

NVDen

534 chars

A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity.

NVDes

303 chars

Un usuario con un rol "predeterminado" que le haya asignado el administrador puede enviar solicitudes HTTP "ELIMINAR" a "eliminar carpeta" y "eliminar documento" para eliminar carpetas y archivos fuente de la instancia, incluso cuando su rol no debería permitir explícitamente esta acción en el sistema.

CVSS metrics across sources

4

Version	Type	Source	Base	Exp	Impact	Vector
3.0	Primary	cve.org	8.1	—	—	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
3.0	Primary	cve.org	8.1	—	—	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N