CVE-2024-3570

Summary

A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to perform actions on behalf of the user, such as creating a new admin account or changing the user's password, leading to a complete takeover of the AnythingLLM application. The vulnerability stems from the improper sanitization of user and ChatBot input, specifically through the use of dangerouslySetInnerHTML. Successful exploitation requires convincing an admin to add a malicious LocalAI ChatBot to their AnythingLLM instance.

Affected Software

VendorProductVersion RangeStatus
mintplex-labsmintplex-labs/anything-llmunspecified < a4ace56a401ffc8ce0082d7444159dfd5dc28834affected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References