CVE-2024-5213

MEDIUM Year: 2024
CVSS v3 Score
5.3
Medium
Weakness Type
CWE-1230
View all →

Vulnerability Description

In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

Related Vulnerabilities

CVE-2024-49395

MEDIUM
CVSS:5.3(Medium)

In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info.

CWE-12302024

CVE-2025-26527

MEDIUM
CVSS:5.3(Medium)

Tags not expected to be visible to a user could still be discovered by them via the tag search page or in the tags block.

CWE-12302025

CVE-2023-32488

MEDIUM
CVSS:4.3(Medium)

Dell PowerScale OneFS, 8.2.x-9.5.0.x, contains an information disclosure vulnerability in NFS. A low privileged attacker could potentially exploit this vulnerability, leading to information disclosure...

CWE-12302023

CVE-2024-10324

MEDIUM
CVSS:4.3(Medium)

The RomethemeKit For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.2 via the register_controls function in widgets/offcanvas-...

CWE-12302024

CVE-2024-8910

MEDIUM
CVSS:4.3(Medium)

The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.5 via the render function in includes/widgets...

CWE-12302024

CVE-2024-9447

MEDIUM
CVSS:6.5(Medium)

An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticat...

CWE-12302024