2024-04-10 17:08:08
@huntr_ai
PUBLISHED
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating Multi-User Mode. By sending a specially crafted curl request with the multi_user_mode parameter set to false, an attacker can deactivate Multi-User Mode. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access.