216.73.216.133

CVE-2024-5213

· Published 20/06/2024 03:15 · Modified 20/06/2024 12:43

Labels: CVE-2024-5213 2024-06-20CVE-2024-5213CWE-1230[email protected]

Essential information

Published
20/06/2024 03:15
Modified
20/06/2024 12:43
Author
Creator
CVSS
5.3 MEDIUM (v3.0)
CISA KEV
No
CWE
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS metrics

Description

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

References