User can submit message to self-XSS

User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Given the minimum requirement for a user to send a chat is to be given access to a workspace via an admin the risk is low. Additionally, the location in which the XSS renders is only limited to the user who submits the XSS. Ultimately, this attack is limited to the user attacking themselves. There is no anonymous chat submission unless the user does not take the minimum steps required to protect their instance.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

AnythingLLM 跨站脚本漏洞

AnythingLLM是符合业务要求的文档聊天机器人。 AnythingLLM 存在跨站脚本漏洞，该漏洞源于在聊天框中注入跨站脚本。

N/A

N/A