How severe is CVE-2024-0404?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.1 out of 10.

What type of vulnerability is CVE-2024-0404?

This is classified as CWE-915, which is a common weakness in software security.

CVE-2024-0404

CRITICAL Year: 2024

CVSS v3 Score

9.1

Critical

Weakness Type

CWE-915

View all →

Vulnerability Description

A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.

CVE-2021-21368

HIGH

CVSS:8.8(High)

msgpack5 is a msgpack v5 implementation for node.js and the browser. In msgpack5 before versions 3.6.1, 4.5.1, and 5.2.1 there is a "Prototype Poisoning" vulnerability. When msgpack5 decodes a map con...

CWE-9152021

CVE-2023-32079

HIGH

CVSS:8.8(High)

Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. ...

CWE-9152023

CVE-2021-21304

CRITICAL

CVSS:9.8(Critical)

Dynamoose is an open-source modeling tool for Amazon's DynamoDB. In Dynamoose from version 2.0.0 and before version 2.7.0 there was a prototype pollution vulnerability in the internal utility method "...

CWE-9152021

CVE-2022-24802

CRITICAL

CVSS:9.8(Critical)

deepmerge-ts is a typescript library providing functionality to deep merging of javascript objects. deepmerge-ts is vulnerable to Prototype Pollution via file deepmerge.ts, function defaultMergeRecord...

CWE-9152022

CVE-2022-31106

CRITICAL

CVSS:9.8(Critical)

Underscore.deep is a collection of Underscore mixins that operate on nested objects. Versions of `underscore.deep` prior to version 0.5.3 are vulnerable to a prototype pollution vulnerability. An atta...

CWE-9152022

CVE-2022-43441

CRITICAL

CVSS:9.8(Critical)

A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attac...

CWE-9152022

CVE-2024-0404

Vulnerability Description

Related Vulnerabilities

CVE-2021-21368

CVE-2023-32079

CVE-2021-21304

CVE-2022-24802

CVE-2022-31106

CVE-2022-43441