漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Privileged User using traversal to read system files
Vulnerability Description
A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack.
CVSS Information
N/A
Vulnerability Type
相对路径遍历
Vulnerability Title
AnythingLLM 安全漏洞
Vulnerability Description
AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM存在安全漏洞。攻击者利用该漏洞可以使用相对文件路径通过前端 API 设置其个人资料图片,然后使用 PFP GET API 下载任何有效文件。
CVSS Information
N/A
Vulnerability Type
N/A