GHSA-cf72-vg59-4j4h

Suggest an improvement
Source
https://github.com/advisories/GHSA-cf72-vg59-4j4h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-cf72-vg59-4j4h/GHSA-cf72-vg59-4j4h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-cf72-vg59-4j4h
Aliases
Published
2024-08-20T19:59:32Z
Modified
2024-08-21T15:02:48.490659Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)
Details

Summary

The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.

Details

The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.

PoC

POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E

Impact

Stored XSS: image

Fix

  • Added a Content Security Policy to all config pages on the web client, including the automation page
  • Used DOM scripting to construct all components on the config pages, including the automation page
Database specific
{
    "nvd_published_at": "2024-08-20T21:15:14Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-08-20T19:59:32Z"
}
References

Affected packages

PyPI / khoj

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.15.0

Affected versions

1.*

1.0