Dot Desktop Application Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A Cross-Site Scripting (XSS) vulnerability has been identified in the Dot Electron desktop application, specifically in versions through 0.9.3. The issue arises from user input and output from the language model being improperly sanitized before being added to the DOM, allowing for the execution of arbitrary commands on the user's system. This vulnerability is exacerbated by the Electron application's Node.js integration, which can be exploited to execute system-level commands.

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting, with the potential for Remote Code Execution on the affected user's system.

Reproduction

To reproduce this vulnerability, input a crafted message into the chat box that includes HTML tags, such as an image tag with an 'onerror' event. The message will be rendered using innerHTML, which does not properly sanitize the input, creating an XSS vulnerability. If the 'nodeIntegration' option is enabled, this XSS can be leveraged to execute arbitrary commands on the system via Node.js APIs.

Remediation

Users are advised to update to version 0.9.4 or later, where this vulnerability has been addressed. For those unable to update, a temporary workaround is to disable Node.js integration in the Electron application.