Описание
Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)
Summary
The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.
Details
The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.
PoC
Impact
Stored XSS:
Fix
- Added a Content Security Policy to all config pages on the web client, including the automation page
- Used DOM scripting to construct all components on the config pages, including the automation page
Пакеты
khoj
< 1.15.0
1.15.0
Связанные уязвимости
Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS. This vulnerability is fixed in 1.15.0.