CVE-2024-3570

Published: Apr 10, 2024

Modified: Aug 1, 2024

PUBLISHED

CVSS v3.0

0.0

NONE

Description

A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to perform actions on behalf of the user, such as creating a new admin account or changing the user's password, leading to a complete takeover of the AnythingLLM application. The vulnerability stems from the improper sanitization of user and ChatBot input, specifically through the use of `dangerouslySetInnerHTML`. Successful exploitation requires convincing an admin to add a malicious LocalAI ChatBot to their AnythingLLM instance.

Vendor	Product	Versions
mintplex-labs	mintplex-labs/anything-llm	affected `unspecified - < a4ace56a401ffc8ce0082d7444159dfd5dc28834`

Weaknesses (CWE)

CWE-79

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

None

References

https://huntr.com/bounties/f0eaf552-aaf3-42b6-a5df-cfecd2de15ee

https://github.com/mintplex-labs/anything-llm/commit/a4ace56a401ffc8ce0082d7444159dfd5dc28834

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-3570

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References