How severe is CVE-2024-4286?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 4.9 out of 10.

What type of vulnerability is CVE-2024-4286?

This is classified as CWE-917, which is a common weakness in software security.

CVE-2024-4286 - MEDIUM Severity | CVSS 4.9

Vulnerability Description

Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user modifications by managers or admins, allowing for the modification of all existing attributes of the `user` database entity without proper checks or sanitization. This flaw can be exploited to delete user threads, denying users access to their previously submitted data, or to inject fake threads and/or chat history for social engineering attacks.

Related Vulnerabilities

CVE-2023-22665

MEDIUM

CVSS:5.4(Medium)

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

CWE-9172023

CVE-2024-9672

MEDIUM

CVSS:5.4(Medium)

A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious ...

CWE-9172024

CVE-2019-11628

MEDIUM

CVSS:6.5(Medium)

An issue was discovered in QlikView Server before 11.20 SR19, 12.00 and 12.10 before 12.10 SR11, 12.20 before SR9, and 12.30 before SR2; and Qlik Sense Enterprise and Qlik Analytics Platform installat...

CWE-9172019

CVE-2018-12532

CRITICAL

CVSS:9.8(Critical)

JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's...

CWE-9172018

CVE-2018-12533

CRITICAL

CVSS:9.8(Critical)

JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org....

CWE-9172018

CVE-2019-11949

CRITICAL

CVSS:9.8(Critical)

A remote code execution vulnerability was identified in HPE Intelligent Management Center (IMC) PLAT earlier than version 7.3 E0506P09.

CWE-9172019