CVE-2024-10366
7.6
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Summary
An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat version v0.7.5-rc2. The endpoint does not verify whether the provided attachment ID belongs to the current user, allowing any authenticated user to delete attachments of other users.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| danny-avila | danny-avila/librechat | unspecified < 0.7.5 | affected |
Weaknesses
- CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://huntr.com/bounties/cde47cf8-dc81-46ab-b472-f7e44a981a7e
- https://github.com/danny-avila/librechat/commit/a350443661d001ac55787741969a75d94ca14116
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.