Stored XSS leading to admin account takeover in mintplex-labs/anything-llm
CVE-2024-3110
What is CVE-2024-3110?
A stored Cross-Site Scripting vulnerability exists in the Mintplex Labs' anything-llm application, affecting all versions prior to 1.0.0. This vulnerability results from improper sanitization and validation of user-supplied URLs before they are embedded in the application UI. As a consequence, malicious users can introduce 'javascript:' protocol payloads into the application, enabling the execution of arbitrary JavaScript code within the context of another user's session. By exploiting this flaw, an attacker with a manager role can construct malicious URLs that target an admin's authorization token. When the admin clicks on such a link, the token is transmitted to the attacker's server, allowing them to perform unauthorized actions, escalate privileges, or completely take over the admin account. The vulnerability can be exploited via certain browser actions such as opening the link in a new tab using specific mouse actions or by clicking the link directly in some versions of modern browsers.
Affected Version(s)
mintplex-labs/anything-llm < 1.0.0