Description

A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, specifically the enabling of 'nodeIntegration' and the disabling of 'contextIsolation' in Electron's webPreferences. The issue has been addressed in version 1.4.2 of the desktop application.

INFO

Published Date :

2024-06-06T18:23:36.035Z

Last Modified :

2024-08-01T20:05:07.541Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-3166 vulnerability.

Vendors Products
Mintplexlabs
  • Anythingllm Desktop
  • Anythingllm Webapp
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-3166.

URL Resource
https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13fabc19a20a5ce cve-icon cve-icon cve-icon
https://huntr.com/bounties/af288bd3-8824-4216-a294-ae9fb444e5db cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact