CVE-2024-57783

EUVD-2024-54618
The desktop application in Dot through 0.9.3 allows XSS and resultant command execution because user input and LLM output are appended to the DOM with innerHTML (in render.js), and because the Electron window can access Node.js APIs.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
mitreCNA
8.1 HIGH
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
Common Weakness Enumeration
References
https://dotapp.uk
https://github.com/EDMPL/Vulnerability-Research/tree/main/CVE-2024-57783
https://github.com/alexpinel/Dot/issues/28