CVE-2024-13060

A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/mintplex-labs/anything-llm/commit/696af19c45473172ad4d3ca749281800a4d1a45a	Patch
https://huntr.com/bounties/98a49c90-e095-441f-900c-59d463dc8e8f	Exploit
https://huntr.com/bounties/98a49c90-e095-441f-900c-59d463dc8e8f	Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:mintplexlabs:anythingllm_docker:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-13060

Mitre link : CVE-2024-13060

CVE.ORG link : CVE-2024-13060

JSON object : View

Products Affected

mintplexlabs

anythingllm_docker

CWE

CWE-862

Missing Authorization

{"id": "CVE-2024-13060", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2025-03-20T10:15:32.210", "references": [{"url": "https://github.com/mintplex-labs/anything-llm/commit/696af19c45473172ad4d3ca749281800a4d1a45a", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/98a49c90-e095-441f-900c-59d463dc8e8f", "tags": ["Exploit"], "source": "[email protected]"}, {"url": "https://huntr.com/bounties/98a49c90-e095-441f-900c-59d463dc8e8f", "tags": ["Exploit"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1."}, {"lang": "es", "value": "Una vulnerabilidad en la versi\u00f3n 1.3.1 de Docker de AnythingLLM permite a los usuarios con el permiso \"Predeterminado\" acceder a las fotos de perfil de otros usuarios modificando el par\u00e1metro \"id\" en la cookie de usuario. Este problema est\u00e1 presente en versiones anteriores a la 1.3.1."}], "lastModified": "2025-10-15T13:15:41.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mintplexlabs:anythingllm_docker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3E9A0B7-118F-4BFE-B218-BE8AF5BDC211", "versionEndExcluding": "1.3.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}