漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Exposure of Sensitive Information in mintplex-labs/anything-llm
Vulnerability Description
In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.
CVSS Information
N/A
Vulnerability Type
通过发送数据的信息暴露
Vulnerability Title
AnythingLLM 安全漏洞
Vulnerability Description
AnythingLLM是符合业务要求的文档聊天机器人。 mintplex-labs AnythingLLM 1.5.3 及之前版本存在安全漏洞,该漏洞源于整个 User 对象(包括 bcrypt 密码哈希值)都包含在发送到前端的响应中,这种做法可能会导致敏感信息暴露。
CVSS Information
N/A
Vulnerability Type
N/A