Data Modification Vulnerability via User Modification
A vulnerability in the mintplex-labs/anything-llm application allows privileged users (managers or admins) to modify any attribute of a user entity, leading to potential data deletion or social engineering attacks. This issue affects the version of the software prior to the patch in version 1.0.0, with the last affected commit being `57984fa85c31988b2eff429adfc654c46e0c342a`.
Available publicly on May 26 2024 | Available with Premium on Apr 26 2024
Threat Overview
The vulnerability stems from the application's handling of user modifications by managers or admins, where the application fails to properly sanitize input before updating user attributes. This flaw can be exploited to modify critical attributes such as threads, potentially leading to data loss or the injection of malicious content for social engineering purposes. The lack of input validation and sanitization in the user modification endpoint is a significant security oversight.
Attack Scenario
An attacker with manager or admin privileges could exploit this vulnerability by sending a specially crafted request to the user modification endpoint. This request could, for example, set the threads attribute to an empty array, effectively deleting all threads associated with a user. This could result in the loss of important data or be used as part of a social engineering attack to manipulate user behavior.
Who is affected
Users of the mintplex-labs/anything-llm application whose data is managed by privileged users (managers or admins) are at risk. Specifically, users whose threads and other attributes can be modified or deleted by these privileged accounts are directly affected by this vulnerability.
Technical Report
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.