Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jZjcyLXZnNTktNGo0aM4AA-0B

Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

Summary

The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.

Details

The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.

PoC

POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E

Impact

Stored XSS:

Fix

Added a Content Security Policy to all config pages on the web client, including the automation page
Used DOM scripting to construct all components on the config pages, including the automation page

Permalink: https://github.com/advisories/GHSA-cf72-vg59-4j4h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jZjcyLXZnNTktNGo0aM4AA-0B
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-cf72-vg59-4j4h, CVE-2024-43396
References:

Repository: https://github.com/khoj-ai/khoj
Blast Radius: 1.6

Affected Packages

pypi:khoj

Dependent packages: 0
Dependent repositories: 2
Downloads: 19,143 last month
Affected Version Ranges: < 1.15.0
Fixed in: 1.15.0
All affected versions:
All unaffected versions: 1.17.0, 1.20.0, 1.20.2, 1.20.3, 1.20.4, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.21.6, 1.22.0, 1.22.1, 1.22.2, 1.22.3, 1.23.0, 1.23.1, 1.23.2, 1.23.3, 1.24.0, 1.24.1, 1.25.0, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.27.0, 1.27.1, 1.28.0, 1.28.1, 1.28.2, 1.28.3, 1.29.0, 1.29.1, 1.30.0, 1.30.1