漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Privilege Escalation via Mass Assignment in mintplex-labs/anything-llm
Vulnerability Description
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enabling them to access the '/api/system/enable-multi-user' endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.
CVSS Information
N/A
Vulnerability Type
CWE-915
Vulnerability Title
AnythingLLM 安全漏洞
Vulnerability Description
AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM 存在安全漏洞,该漏洞源于允许具有经理角色的用户通过批量分配问题将其权限升级为管理员角色。
CVSS Information
N/A
Vulnerability Type
N/A