Login Sign Up

CVE-2024-3110

8.7 HIGH
Cross-Site Scripting Authentication Bypass

📋 TL;DR

A stored XSS vulnerability in anything-llm allows attackers with manager role to inject malicious JavaScript via crafted URLs. When an admin clicks these links, their authorization token can be stolen, leading to account takeover. This affects versions up to and including the latest before 1.0.0.

💻 Affected Systems

Products:
  • mintplex-labs/anything-llm
Versions: All versions up to and including latest before 1.0.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires manager role to exploit, but affects all users who click malicious links.

📦 What is this software?

Anythingllm by Mintplexlabs

View all CVEs affecting Anythingllm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete admin account takeover leading to full system compromise, data theft, and privilege escalation across the application.

🟠

Likely Case

Admin session hijacking allowing unauthorized actions, privilege escalation, and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper input validation and output encoding preventing JavaScript execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires manager role to create malicious links, but execution is simple via link clicks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0 and later

Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/49f30e051c9f6e28977d57d0e5f49c1294094e41

Restart Required: Yes

Instructions:

1. Update to version 1.0.0 or later. 2. Restart the application. 3. Verify the fix by checking that javascript: protocol URLs are blocked.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to reject URLs containing javascript: protocol

Implement URL validation in the application code to filter out javascript: protocol

Content Security Policy

all

Implement CSP headers to restrict script execution

Add Content-Security-Policy header with script-src 'self'

🧯 If You Can't Patch

  • Restrict manager role permissions to trusted users only
  • Implement web application firewall rules to block javascript: protocol in URLs

🔍 How to Verify

Check if Vulnerable:

Check if application version is below 1.0.0 and test if javascript:alert('XSS') can be injected in URL fields.

Check Version:

Check package.json or application settings for version number

Verify Fix Applied:

After updating to 1.0.0+, attempt to inject javascript: protocol URLs and verify they are rejected.

📡 Detection & Monitoring

Log Indicators:

  • Unusual URL patterns containing javascript: protocol
  • Multiple failed URL validation attempts

Network Indicators:

  • Outbound requests to unknown servers following admin link clicks
  • Unexpected token transmission to external domains

SIEM Query:

search 'javascript:' in URL fields OR outbound connections following admin link clicks

📊 Metadata

CVE ID: CVE-2024-3110
CVSS v3 Score: 8.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: June 6, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3110, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)