CVE-2024-0435
Last modified
CVE-2024-0435 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Given the minimum requirement for a user to send a chat is to be given access to a workspace via an admin the risk is low. Additionally, the location in which the XSS renders is only limited to the user who submits the XSS. EPSS estimates a 0.47% chance of exploitation in the next 30 days.
Description
User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Given the minimum requirement for a user to send a chat is to be given access to a workspace via an admin the risk is low. Additionally, the location in which the XSS renders is only limited to the user who submits the XSS. Ultimately, this attack is limited to the user attacking themselves. There is no anonymous chat submission unless the user does not take the minimum steps required to protect their instance.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Mintplexlabs | Anythingllm | All versions |
References
- https://huntr.com/bounties/53308220-8b2e-492f-b248-0985b7c2db61Third Party Advisory
- https://huntr.com/bounties/53308220-8b2e-492f-b248-0985b7c2db61Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-0435?
How severe is CVE-2024-0435?
How do I fix CVE-2024-0435?
Are you affected by CVE-2024-0435?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST