CVE-2024-4286 MEDIUM

CVE-2024-4286: Improper Neutralization of Special Elements in mintplex-labs/anything-llm

Vendor Mintplex-Labs
Product mintplex-labs/anything-llm
Weakness CWE-917
Published May 26, 2024
Last update August 1, 2024

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user modifications by managers or admins, allowing for the modification of all existing attributes of the `user` database entity without proper checks or sanitization. This flaw can be exploited to delete user threads, denying users access to their previously submitted data, or to inject fake threads and/or chat history for social engineering attacks.

Key dates

02Disclosure timeline

May 26, 2024 CVE published
August 1, 2024 Record updated