We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-5213

Exposure of Sensitive Information in mintplex-labs/anything-llm



Assigner@huntr_ai
Reserved2024-05-22
Published2024-06-20
Updated2024-08-01

Description

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.



MEDIUM: 5.3CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-1230 Exposure of Sensitive Information Through Metadata

Product status

Any version before 1.0.0
affected

References

https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d

https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c

cve.org CVE-2024-5213

nvd.nist.gov CVE-2024-5213

Download JSON

Share this page
https://cve.threatint.com
Subscribe to our newsletter to learn more about our work.

© Copyright 2024 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.