Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb

Vulnerability

Overview

MindsDB, an open-source platform for building AI applications, is affected by a stored cross-site scripting (XSS) vulnerability [1]. The flaw, tracked as CVE-2024-3575, allows an attacker to inject arbitrary JavaScript code that is stored by the application and later executed when other users access the affected component.

Exploitation

An attacker with the ability to submit input to MindsDB (e.g., via query names, model names, or other user-controllable fields) can inject malicious scripts. No authentication is required if the input is accepted from unauthenticated users; however, the exact attack surface depends on the deployment configuration. When an administrator or other user views the injected data, the script executes in their browser context.

Impact

Successful exploitation can lead to session hijacking, unauthorized actions on behalf of the victim, data theft (including credentials), or defacement of the application interface. Since the XSS is stored, the payload remains persistent and can affect all users who access the compromised data.

Mitigation

The vulnerability was reported via the huntr bug bounty platform [3]. Users should upgrade to a patched version of MindsDB as recommended by the maintainers [2]. No workaround is currently available.