mudler LocalAI Cross-Site Scripting Vulnerability in Search Functionality

A Cross-Site Scripting (XSS) vulnerability has been identified in mudler/localai version 2.21.1. This issue arises from inadequate sanitization of user input in the search feature, allowing the injection and execution of arbitrary JavaScript. Exploitation of this vulnerability could result in the execution of malicious scripts within the context of the user's browser, potentially compromising user sessions, stealing session cookies, redirecting users to harmful websites, or manipulating the Document Object Model (DOM).

Impact

Exploitation of this vulnerability allows for Cross-Site Scripting (XSS) attacks, where an attacker can inject and execute malicious scripts in the context of the victim's browser.

Reproduction

The vulnerability can be reproduced by entering unsanitized input into the search functionality of mudler/localai version 2.21.1. The injected JavaScript will be executed in the context of the user's browser, demonstrating the Cross-Site Scripting vulnerability.

Remediation

Users can update to the latest version of mudler/localai, where this vulnerability has been addressed. Instructions for updating can be found in the project's documentation.