Vulnerability Description
A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, specifically the enabling of 'nodeIntegration' and the disabling of 'contextIsolation' in Electron's webPreferences. The issue has been addressed in version 1.4.2 of the desktop application.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mintplexlabs | Anythingllm Desktop | < 1.4.2 |
| Mintplexlabs | Anythingllm Webapp | < 1.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13Patch
- https://huntr.com/bounties/af288bd3-8824-4216-a294-ae9fb444e5dbExploitThird Party Advisory
- https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13Patch
- https://huntr.com/bounties/af288bd3-8824-4216-a294-ae9fb444e5dbExploitThird Party Advisory
FAQ
What is CVE-2024-3166?
CVE-2024-3166 is a vulnerability with a CVSS score of 9.6 (CRITICAL). A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. The vulnerability a...
How severe is CVE-2024-3166?
CVE-2024-3166 has been rated CRITICAL with a CVSS base score of 9.6/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-3166?
Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm Desktop, Mintplexlabs Anythingllm Webapp.