CVE-2024-4286

MEDIUM

Mintplex-Labs' anything-llm - Info Disclosure

Title source: llm

Description

Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user modifications by managers or admins, allowing for the modification of all existing attributes of the `user` database entity without proper checks or sanitization. This flaw can be exploited to delete user threads, denying users access to their previously submitted data, or to inject fake threads and/or chat history for social engineering attacks.

References (2)

[Exploit, Third Party Advisory] https://huntr.com/bounties/a72d2923-297c-455f-af90-715e83b3da2b

[Patch] https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789

View Patch ZIP pw:eip

Scores

CVSS v3 4.9

EPSS 0.0010

EPSS Percentile 28.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-917

Status draft

Timeline

Published May 26, 2024

Tracked Since Feb 18, 2026