Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Vulnerability Description
The desktop application in Dot through 0.9.3 allows XSS and resultant command execution because user input and LLM output are appended to the DOM with innerHTML (in render.js), and because the Electron window can access Node.js APIs.
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Dot 跨站脚本漏洞
Vulnerability Description
Dot是alexpinel个人开发者的一个文本转语音、RAG和LLM工具。 Dot 0.9.3及之前版本存在跨站脚本漏洞,该漏洞源于用户输入和LLM输出使用innerHTML追加到DOM,可能导致跨站脚本和命令执行。
CVSS Information
N/A
Vulnerability Type
N/A