Platform
python
Component
mindsdb
Fixed in
24.9.3
CVE-2024-45856 describes a critical Cross-Site Scripting (XSS) vulnerability affecting all versions of the MindsDB platform up to and including 24.9.2.1. This vulnerability allows attackers to inject and execute malicious JavaScript code within the MindsDB web UI, potentially leading to account compromise and data theft. The vulnerability stems from insufficient input sanitization during enumeration of various platform resources.
The impact of this XSS vulnerability is significant. An attacker could leverage it to steal user session cookies, enabling them to impersonate legitimate users and gain unauthorized access to sensitive data and functionalities within the MindsDB platform. This could include accessing and manipulating machine learning models, databases, projects, and datasets. Furthermore, the attacker could potentially redirect users to malicious websites or deface the web interface. The blast radius extends to all users who interact with the MindsDB web UI, particularly those with administrative privileges.
CVE-2024-45856 was publicly disclosed on September 12, 2024. The vulnerability's criticality (CVSS score of 9.0) indicates a high probability of exploitation. As of this writing, no public proof-of-concept (PoC) code has been released, but the ease of exploitation inherent in XSS vulnerabilities suggests that a PoC is likely to emerge soon. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-45856 is to upgrade to a patched version of MindsDB. The vendor has not yet released a fixed version, so until then, consider implementing strict input validation and output encoding on all user-supplied data within the web UI. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update security policies and procedures to ensure they address XSS vulnerabilities.
Update MindsDB to the latest available version. This will resolve the XSS vulnerability. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-45856 is a critical Cross-Site Scripting (XSS) vulnerability affecting MindsDB versions up to 24.9.2.1, allowing attackers to execute JavaScript code within the web UI.
Yes, if you are using MindsDB version 24.9.2.1 or earlier, you are vulnerable to this XSS attack.
Upgrade to a patched version of MindsDB as soon as it becomes available. Until then, implement input validation and WAF rules.
While no public exploits are currently known, the vulnerability's criticality suggests a high likelihood of exploitation.
Refer to the official MindsDB security advisories on their website or GitHub repository for updates and mitigation guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.