Home > Vulnerability Database > CVE-2024-0550

Mend.io Vulnerability Database

CVE-2024-0550

Date: February 27, 2024

A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack.

Language: JS

Severity Score

6.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-0550

Url: https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6

Url: https://github.com/mintplex-labs/anything-llm/commit/e1dcd5ded010b03abd6aa32d1bf0668a48e38e17

Url: https://www.mend.io/vulnerability-database/CVE-2024-0550

Severity Score

6.5

Weakness Type (CWE)

Relative Path Traversal

CWE-23

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-0550

Date: February 27, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?