CVE-2024-3166 – A Cross-Site Scripting (XSS) vulnerability in m... (How to Fix)

Q: What is the severity of CVE-2024-3166?

CVE-2024-3166 has a CVSS score of 9.6 (CRITICAL). A Cross-Site Scripting (XSS) vulnerability in mintplex-labs/anything-llm allows attackers to execute arbitrary JavaScript code by exploiting the application's website content embedding feature. In the desktop application, this can escalate to Remote Code Execution (RCE) due to insecure Electron settings. Users of the desktop application version 1.2.0 and web application versions before the fix are affected.

📋 TL;DR

A Cross-Site Scripting (XSS) vulnerability in mintplex-labs/anything-llm allows attackers to execute arbitrary JavaScript code by exploiting the application's website content embedding feature. In the desktop application, this can escalate to Remote Code Execution (RCE) due to insecure Electron settings. Users of the desktop application version 1.2.0 and web application versions before the fix are affected.

💻 Affected Systems

Products:

mintplex-labs/anything-llm desktop application
mintplex-labs/anything-llm web application

Versions: Desktop: version 1.2.0; Web: versions before fix (specific versions not specified in CVE)

Operating Systems: All platforms running Electron desktop application

Default Config Vulnerable: ⚠️ Yes

Notes: Desktop application vulnerable due to 'nodeIntegration: true' and 'contextIsolation: false' in Electron webPreferences.

📦 What is this software?

Anythingllm Desktop by Mintplexlabs

View all CVEs affecting Anythingllm Desktop →

Anythingllm Webapp by Mintplexlabs

View all CVEs affecting Anythingllm Webapp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via RCE on desktop application, allowing attacker to execute arbitrary code with application privileges.

🟠

Likely Case

Session hijacking, credential theft, and data exfiltration via XSS in both desktop and web applications.

🟢

If Mitigated

Limited impact to application data if proper input validation and output encoding are implemented.

🌐 Internet-Facing: HIGH - Web application is internet-facing and vulnerable to XSS attacks.

🏢 Internal Only: HIGH - Desktop application vulnerable to RCE even in internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS exploitation is straightforward; RCE requires specific desktop application configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Desktop: 1.4.2; Web: latest version after commit fa27103d

Vendor Advisory: https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13fabc19a20a5ce

Restart Required: Yes

Instructions:

1. Update desktop application to version 1.4.2 or later. 2. Update web application to latest version. 3. Restart application after update.

🔧 Temporary Workarounds

Disable website content embedding

all

Temporarily disable the feature that fetches and embeds content from websites.

No specific commands - disable via application settings if available

Electron security hardening

all

For desktop application, reconfigure Electron with 'nodeIntegration: false' and 'contextIsolation: true'.

Modify webPreferences in main.js: { nodeIntegration: false, contextIsolation: true }

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to restrict script execution
Use web application firewall (WAF) with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check application version: desktop should be <1.4.2; web should be before commit fa27103d. Review Electron configuration for insecure settings.

Check Version:

Desktop: Check application about menu; Web: Check version in UI or package.json

Verify Fix Applied:

Confirm desktop version is ≥1.4.2 and web application includes commit fa27103d. Verify Electron settings are secure.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution patterns
Suspicious website embedding requests

Network Indicators:

Unexpected outbound connections from application
Suspicious payloads in HTTP requests

SIEM Query:

Search for: 'anything-llm' AND ('XSS' OR 'script' OR 'embed') in application logs

📊 Metadata

CVE ID: CVE-2024-3166

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-79

Published: June 6, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13fabc19a20a5ce Patch
https://huntr.com/bounties/af288bd3-8824-4216-a294-ae9fb444e5db Exploit,Third Party Advisory
https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13fabc19a20a5ce Patch
https://huntr.com/bounties/af288bd3-8824-4216-a294-ae9fb444e5db Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-3166, you might also want to check these: