### [CVE-2024-3283](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3283)
![](https://img.shields.io/static/v1?label=Product&message=mintplex-labs%2Fanything-llm&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%201.0.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-915%20Improperly%20Controlled%20Modification%20of%20Dynamically-Determined%20Object%20Attributes&color=brighgreen)

### Description

A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass assignment issue. The '/admin/system-preferences' API endpoint improperly authorizes manager-level users to modify the 'multi_user_mode' system variable, enabling them to access the '/api/system/enable-multi-user' endpoint and create a new admin user. This issue results from the endpoint accepting a full JSON object in the request body without proper validation of modifiable fields, leading to unauthorized modification of system settings and subsequent privilege escalation.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds