The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.
The q
parameter for the /api/automation
endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.
POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E
Stored XSS:
{ "nvd_published_at": "2024-08-20T21:15:14Z", "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-08-20T19:59:32Z" }