cve/2024/CVE-2024-0550.md

### [CVE-2024-0550](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0550)
![](https://img.shields.io/static/v1?label=Product&message=mintplex-labs%2Fanything-llm&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=unspecified%3C%201.0.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-23%20Relative%20Path%20Traversal&color=brighgreen)

### Description

A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files.The attacker would have to have been granted privileged permissions to the system before executing this attack.

### POC

#### Reference
- https://huntr.com/bounties/c6afeb5e-f211-4b3d-aa4b-6bad734217a6

#### Github
No PoCs found on GitHub currently.