Vulnerability Details CVE-2024-6842
In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be exploited by attackers to steal these keys and cause loss of user assets.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.218
EPSS Ranking 95.5%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2024-6842
-
cpe:2.3:a:mintplexlabs:anythingllm:1.5.5