Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Stored XSS via Eval Injection in EchartsRander Component
Vulnerability Description
MaxKB is an open-source AI assistant for enterprise. Versions 2.7.1 and below contain an Eval Injection vulnerability in the Markdown rendering engine that allows any user capable of interacting with the AI chat interface to execute arbitrary JavaScript in the browsers of other users, including administrators, resulting in Stored Cross-Site Scripting (XSS). This issue has been fixed in version 2.8.0.
CVSS Information
N/A
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
MaxKB 安全漏洞
Vulnerability Description
MaxKB是1Panel-dev开源的一款基于大语言模型和 RAG 的开源知识库问答系统。 MaxKB 2.7.1及之前版本存在安全漏洞,该漏洞源于Markdown渲染引擎存在Eval注入漏洞,可能导致能够与AI聊天界面交互的任何用户在其他用户浏览器中执行任意JavaScript。
CVSS Information
N/A
Vulnerability Type
N/A