Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
5ire vulnerable to Remote Code Execution (RCE)
Vulnerability Description
5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=...>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
对输出编码和转义不恰当
Vulnerability Title
5ire 安全漏洞
Vulnerability Description
5ire是Ironben个人开发者的一个跨平台的桌面AI助手。 5ire 0.15.3之前版本存在安全漏洞,该漏洞源于不安全的HTML渲染允许不受信任的HTML执行,可能导致攻击者注入恶意载荷执行任意JavaScript,进而实现远程命令执行。
CVSS Information
N/A
Vulnerability Type
N/A