Informazioni sul CVE-2024-5213
Exposure of Sensitive Information in mintplex-labs/anything-llm
CWE ID: CWE-1230
Base Score (CVSS): N/A
CVE: CVE-2024-5213
Descrizione: In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.
Vettore di attacco
Punteggio CVSS
Il CVSS è un sistema di valutazione che misura la gravità di una vulnerabilità informatica considerando fattori come l’impatto potenziale, la probabilità di attacco e la facilità di esecuzione.
Riassunto: .
Dettaglio del Vettore
| Metrica | Valore | Significato | Descrizione |
|---|
Riferimenti esterni
- https://huntr.com/bounties/8794fb65-50aa-40e3-b348-a29838dbf63d
- https://github.com/mintplex-labs/anything-llm/commit/9df4521113ddb9a3adb5d0e3941e7d494992629c
Prodotti interessati
- mintplex-labs – mintplex-labs/anything-llm
Relazioni con altri prodotti
Produttore:mintplex-labs
Prodotto: mintplex-labs/anything-llm
Anno: 2024
CWE: CWE-1230
CVSS: 0.0