漏洞标题
在mintplex-labs/anything-llm中敏感信息的暴露
漏洞描述信息
在mintplex-labs/anything-llm版本1.5.3及更早版本中,发现了一个问题,在登录(POST /api/request-token)和账户创建(POST /api/admin/users/new)之后,用户密码散列会在响应中返回。这种暴露发生在整个User对象(包括bcrypt密码散列)被包含在发送给前端的响应中时。尽管使用了bcrypt,一种强大的散列算法,这种做法仍然可能导致敏感信息的泄露。建议不要在前端暴露任何关于密码的线索。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞类别
信息暴露
漏洞标题
Exposure of Sensitive Information in mintplex-labs/anything-llm
漏洞描述信息
In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
AnythingLLM 安全漏洞
漏洞描述信息
AnythingLLM是符合业务要求的文档聊天机器人。 mintplex-labs AnythingLLM 1.5.3 及之前版本存在安全漏洞,该漏洞源于整个 User 对象(包括 bcrypt 密码哈希值)都包含在发送到前端的响应中,这种做法可能会导致敏感信息暴露。
CVSS信息
N/A
漏洞类别
其他