mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo filename functionality. Attackers can exploit this vulnerability by manipulating the logo filename to reference files outside of the restricted directory. This can lead to unauthorized reading or deletion of files by utilizing the `/api/system/upload-logo` and `/api/system/logo` endpoints. The issue stems from the lack of filtering or validation on the logo filename, allowing attackers to target sensitive files such as the application's database.
The vulnerability results from lack of filtering and validation of the logo filename in the endpoints `/api/system/upload-logo` and `/api/system/logo`. An attacker with basic authentication level can manipulate the logo filename by inserting path traversal sequences (e.g., `../../`), allowing access to files outside the permitted directory. This makes it possible to both read and delete arbitrary files accessible to the application process, including the database.
An attacker can gain unauthorized access to sensitive application files (including the database) or permanently delete them, leading to data confidentiality breach and potential loss of system integrity and availability.
Update the application to a version containing the fix introduced in commit 7de23dbb2da932fbfb39f56d981784d3702cf5ce available in the GitHub repository mintplex-labs/anything-llm. Details in the vendor references and huntr.com report.
mintplex-labs/anything-llm — versions indicated in vendor references (before commit 7de23dbb2da932fbfb39f56d981784d3702cf5ce)
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HMintplexlabs Anythingllm
APPMintplexlabs< 1.0.0
Related vulnerabilities
XSS eskalujący do RCE w AnythingLLM Desktop poprzez podatny renderer Electron
Nieprawidłowa kontrola dostępu w AnythingLLM — nieautoryzowana manipulacja bazą danych
RCE poprzez command injection w Mintplex Labs AnythingLLM
Brak autoryzacji w AnythingLLM — destrukcyjny dostęp do VectorDB
Mass assignment w anything-llm umożliwia nieautoryzowane tworzenie kont admin