CVE-2024-45856
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in MindsDB allows attackers to inject malicious JavaScript into ML Engine, database, project, or dataset names. When users view these objects in the web UI, the JavaScript executes in their browser context. All MindsDB users with web UI access are affected.
💻 Affected Systems
- MindsDB
📦 What is this software?
Mindsdb by Mindsdb
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware via the victim's browser.
Likely Case
Session hijacking, credential theft, or unauthorized actions performed within the MindsDB interface by authenticated users.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though some data exposure may still occur.
🎯 Exploit Status
Requires ability to create or modify ML Engine, database, project, or dataset names with JavaScript payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb/
Restart Required: No
Instructions:
No official patch available. Monitor MindsDB security advisories for updates.
🔧 Temporary Workarounds
Disable Web UI
allDisable the MindsDB web interface and use only API or CLI access.
Modify MindsDB configuration to disable web server
Input Validation Filter
allImplement WAF or proxy filtering for JavaScript patterns in object names.
Configure WAF rules to block <script> tags and JavaScript patterns in POST/PUT requests
🧯 If You Can't Patch
- Restrict user permissions to prevent creation/modification of ML Engine, database, project, or dataset names
- Implement Content Security Policy (CSP) headers to restrict script execution
🔍 How to Verify
Check if Vulnerable:
Attempt to create an ML Engine or dataset with name containing <script>alert('XSS')</script> and check if script executes when viewed.Check Version:
Check MindsDB version via web UI or CLIVerify Fix Applied:
Test that JavaScript payloads in object names are properly sanitized and do not execute in browser.📡 Detection & Monitoring
Log Indicators:
- Unusual object names containing script tags or JavaScript patterns in creation/modification logs
Network Indicators:
- HTTP requests with JavaScript payloads in object name parameters
SIEM Query:
source="mindsdb" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")