Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Typebot Vulnerable to Credential Theft via Client-Side Script Execution and API Authorization Bypass
Vulnerability Description
Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking "Run", JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Typebot 安全漏洞
Vulnerability Description
Typebot是Baptiste Arnaud个人开发者的一个开源聊天机器人构建器。 Typebot 3.13.2之前版本存在安全漏洞,该漏洞源于客户端脚本执行且凭据端点返回明文API密钥,可能导致窃取存储的凭据。
CVSS Information
N/A
Vulnerability Type
N/A