CVE-2024-10513

Description

A path traversal vulnerability exists in the document uploads manager feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the manager role to access and manipulate the anythingllm.db database file. By exploiting the vulnerable endpoint /api/document/move-files, an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss.