CVE-2024-4286

CVSS V2 None CVSS V3 None

Description

Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user modifications by managers or admins, allowing for the modification of all existing attributes of the `user` database entity without proper checks or sanitization. This flaw can be exploited to delete user threads, denying users access to their previously submitted data, or to inject fake threads and/or chat history for social engineering attacks.

Overview

CVE ID
CVE-2024-4286

Assigner
@huntr_ai

Vulnerability Status
PUBLISHED

Published Version
2024-05-26T22:25:12.285Z

Last Modified Date
2024-06-04T17:54:25.287Z

Weakness Enumerations

CWE	URL
CWE-917	http://cwe.mitre.org/data/definitions/917.html

References

Reference URL	Reference Tags
https://huntr.com/bounties/a72d2923-297c-455f-af90-715e83b3da2b
https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-4286
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4286

History

Created	Old Value	New Value	Data Type	Notes
2024-06-23 22:05:12				Added to TrackCVE