Denial of Service in mintplex-labs/anything-llm

A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software.

N/A

未加控制的资源消耗(资源穷尽)

AnythingLLM 安全漏洞

AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM 1.0.0之前版本存在安全漏洞，该漏洞源于缺乏输入验证和清理，导致资源消耗不受控制以及拒绝服务(DoS)。

N/A

N/A