漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Open WebUI: Stored XSS in Mermaid Markdown Preview
Vulnerability Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6,Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using innerHTML. Because Mermaid is configured with securityLevel: 'loose', attacker-controlled Mermaid content can be rendered unsafely in this flow. A working payload was validated through the Markdown preview path, resulting in JavaScript execution in the victim’s browser under the application origin. This vulnerability is fixed in 0.9.6.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Open WebUI 跨站脚本漏洞
Vulnerability Description
Open WebUI是Open WebUI团队开源的一个可扩展、功能丰富、用户友好的自托管 WebUI。 Open WebUI 0.9.6之前版本存在跨站脚本漏洞,该漏洞源于应用在处理Markdown文件预览时,使用innerHTML将Mermaid生成的SVG插入DOM,且Mermaid配置了宽松的安全等级,导致攻击者控制的Mermaid内容不安全渲染,可能造成在受害者浏览器中执行JavaScript脚本。
CVSS Information
N/A
Vulnerability Type
N/A