CVE-2024-7783 Information
Nov 01, 2024
cve
Description
mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information specifically a password is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. When decoded the JWT reveals the password in plaintext. This improper storage of sensitive information poses significant security risks as an attacker who gains access to the JWT can easily decode it and retrieve the password. The issue is fixed in version 1.0.3.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Reference
https://huntr.com/bounties/20e9950f-ad41-4d6b-8bd0-c7f7051695b3 https://github.com/mintplex-labs/anything-llm/commit/4430ddb05988470bc8f0479e7d07db1f7d4646ba
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
7.5
Share on: