Stored XSS leading to Admin Account Takeover in mintplex-labs/anything-llm
Description
A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to perform actions on behalf of the user, such as creating a new admin account or changing the user's password, leading to a complete takeover of the AnythingLLM application. The vulnerability stems from the improper sanitization of user and ChatBot input, specifically through the use of dangerouslySetInnerHTML. Successful exploitation requires convincing an admin to add a malicious LocalAI ChatBot to their AnythingLLM instance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- mintplex-labs/mintplex-labs/anything-llmv5Range: unspecified
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.