Vulnerability Details CVE-2024-3570
A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to perform actions on behalf of the user, such as creating a new admin account or changing the user's password, leading to a complete takeover of the AnythingLLM application. The vulnerability stems from the improper sanitization of user and ChatBot input, specifically through the use of `dangerouslySetInnerHTML`. Successful exploitation requires convincing an admin to add a malicious LocalAI ChatBot to their AnythingLLM instance.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.7%
CVSS Severity
References
- https://github.com/mintplex-labs/anything-llm/commit/a4ace56a401ffc8ce0082d7444159dfd5dc28834
- https://huntr.com/bounties/f0eaf552-aaf3-42b6-a5df-cfecd2de15ee
- https://github.com/mintplex-labs/anything-llm/commit/a4ace56a401ffc8ce0082d7444159dfd5dc28834
- https://huntr.com/bounties/f0eaf552-aaf3-42b6-a5df-cfecd2de15ee
Products affected by CVE-2024-3570
-
cpe:2.3:a:mintplexlabs:anythingllm:-
-
cpe:2.3:a:mintplexlabs:anythingllm:0.0.1
-
cpe:2.3:a:mintplexlabs:anythingllm:0.1.0