Medium Severity

anything-llm

Data Modification Vulnerability via User Modification

A vulnerability in the mintplex-labs/anything-llm application allows privileged users (managers or admins) to modify any attribute of a user entity, leading to potential data deletion or social engineering attacks. This issue affects the version of the software prior to the patch in version 1.0.0, with the last affected commit being `57984fa85c31988b2eff429adfc654c46e0c342a`.

Available publicly on May 26 2024

4.9

CVE:

CVE-2024-4286

CWE:

917:Improper Neutralization of Special Elements used in an Expression Language Statement

CVSS:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Credit:

lager1
AssessDetect

Premium

Remediate
Remediation Steps
  • Ensure input validation and sanitization are implemented for all user inputs, especially those that modify critical data.
  • Update the application to version 1.0.0 or later, where this vulnerability has been patched.
  • Regularly review and audit code for security vulnerabilities, particularly in areas where user data can be modified.
  • Limit the privileges of user accounts to the minimum necessary and regularly review account roles to prevent abuse.
  • Implement logging and monitoring to detect and respond to suspicious activities promptly.
Patch Details
  • Fixed Version: 1.0.0
  • Patch Commit: https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.

Sightline logo
About Protect AIPrivacy PolicyTerms of Service
© 2024 Protect AI, Inc.
Slack iconLinkedIn iconYoutube iconX icon