CVE-2024-3166

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm versions 1.2.0 through 1.4.1 mintplex-labs/anything-llm web application (affected versions not specified)

Description A Cross-Site Scripting (XSS) vulnerability exists in the application, affecting both the desktop and web applications. The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, specifically the enabling of nodeIntegration and the disabling of contextIsolation in Electron's webPreferences.

Recommendations For mintplex-labs/anything-llm desktop application version 1.2.0, update to version 1.4.2 to address the issue. For mintplex-labs/anything-llm web application, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the feature to fetch and embed content from websites into workspaces until a patch is available. Restrict access to the Electron's webPreferences to minimize the risk of exploitation. Avoid using the nodeIntegration and contextIsolation settings in Electron's webPreferences until the issue is resolved.