CVE-2024-13059

Published Feb 10, 2025

Last updated 2 months ago

CVSS high 7.2
WordPress
ENL Newsletter

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-3059 affects the ENL Newsletter WordPress plugin through version 1.0.1. The plugin lacks CSRF (Cross-Site Request Forgery) checks in certain areas. This vulnerability could allow attackers to trick logged-in administrators into deleting arbitrary campaigns via a CSRF attack. An attacker could achieve this by enticing an administrator to open a crafted URL, leading to unintended campaign deletion.

Description
A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII filenames in the multer library. This vulnerability can lead to arbitrary file write, which can subsequently result in remote code execution. The issue arises when the filename transformation introduces '../' sequences, which are not sanitized by multer, allowing attackers with manager or admin roles to write files to arbitrary locations on the server.
Source
security@huntr.dev
NVD status
Received

Risk scores

CVSS 3.0

Type
Secondary
Base score
7.2
Impact score
5.9
Exploitability score
1.2
Vector string
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security@huntr.dev
CWE-29

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

13

  1. In February 2025, a critical vulnerability identified as CVE-2024-13059 was disclosed in AnythingLLM, an open-source framework for building self-hosted AI assistants: https://t.co/vL1moP6MnA This flaw affects versions prior to 1.3.1 and arises from improper handling of non-ASCII

    @offsectraining

    18 Apr 2025

    4479 Impressions

    21 Retweets

    70 Likes

    14 Bookmarks

    0 Replies

    1 Quote

  2. 🚨 CVE-2024-13059 🔴 HIGH (7.2) 🏢 mintplex-labs - mintplex-labs/anything-llm 🏗️ unspecified 🔗 https://t.co/kqcrVnnZf9 🔗 https://t.co/P49jIwUhPU #CyberCron #VulnAlert https://t.co/xstSrcGJKe

    @cybercronai

    12 Feb 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-13059 A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII filenames in the multer library. … https://t.co/Topw1kLbrl

    @CVEnew

    10 Feb 2025

    256 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References