All intelligence
// vulnerability record
live · NVDCVE-2024-10513
HIGHpublished 2025-03-20 10:15 UTC · 1 year ago · modified 2026-06-17 06:55 UTC
7.2
CVSS / 10
// description
A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the 'manager' role to access and manipulate the 'anythingllm.db' database file. By exploiting the vulnerable endpoint '/api/document/move-files', an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss.
// cvss 3.0 vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
// weaknesses (CWE)
- CWE-23
- CWE-22