漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Privilege Escalation in mintplex-labs/anything-llm
Vulnerability Description
In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. The issue arises from improper input validation when handling HTTP POST requests to the endpoint `/workspace/:slug/thread/:threadSlug/update`. Specifically, the application fails to validate or check user input before passing it to the `workspace_thread` Prisma model for execution. This oversight allows attackers to craft a Prisma relation query operation that manipulates the `users` model to change a user's role to admin. Successful exploitation grants attackers the highest level of user privileges, enabling them to see and perform all actions within the system.
CVSS Information
N/A
Vulnerability Type
对异常条件的处理不恰当
Vulnerability Title
AnythingLLM 输入验证错误漏洞
Vulnerability Description
AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM 存在输入验证错误漏洞,该漏洞源于应用程序在将用户输入传递给 Prisma 模型执行之前未能验证或检查用户输入。
CVSS Information
N/A
Vulnerability Type
N/A