Home > Vulnerability Database > CVE-2024-4286

Mend.io Vulnerability Database

CVE-2024-4286

Date: May 26, 2024

Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id "57984fa85c31988b2eff429adfc654c46e0c342a". The vulnerability arises from the application's handling of user modifications by managers or admins, allowing for the modification of all existing attributes of the "user" database entity without proper checks or sanitization. This flaw can be exploited to delete user threads, denying users access to their previously submitted data, or to inject fake threads and/or chat history for social engineering attacks.

Language: JS

Severity Score

4.9

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-4286

Url: https://huntr.com/bounties/a72d2923-297c-455f-af90-715e83b3da2b

Url: https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789

Url: https://www.mend.io/vulnerability-database/CVE-2024-4286

Severity Score

4.9

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-917

CVSS v3.1

Base Score:	4.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-4286

Date: May 26, 2024

Language: JS

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?