CVE-2024-43396 – khoj

Package

Manager: pip
Name: khoj
Vulnerable Version: >=0 <1.15.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00085 pctl0.2562

Details

Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature) ### Summary The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. ### Details The `q` parameter for the `/api/automation` endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS. ### PoC ``` POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E ``` ### Impact Stored XSS:  ### Fix - Added a Content Security Policy to all config pages on the web client, including the automation page - Used DOM scripting to construct all components on the config pages, including the automation page

Metadata

Created: 2024-08-20T19:59:32Z
Modified: 2024-08-21T14:53:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-cf72-vg59-4j4h/GHSA-cf72-vg59-4j4h.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-cf72-vg59-4j4h
Finding: F425
Auto approve: 1