Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cf72-vg59-4j4h: Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

Summary

The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.

Details

The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.

PoC

POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E

Impact

Stored XSS: image

Fix

  • Added a Content Security Policy to all config pages on the web client, including the automation page
  • Used DOM scripting to construct all components on the config pages, including the automation page
ghsa
#xss#web#js#git

Summary

The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.

Details

The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.

PoC

POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E

Impact

Stored XSS:

Fix

  • Added a Content Security Policy to all config pages on the web client, including the automation page
  • Used DOM scripting to construct all components on the config pages, including the automation page

References

  • GHSA-cf72-vg59-4j4h
  • khoj-ai/khoj@1c7a562
  • khoj-ai/khoj@55be90c

ghsa: Latest News

GHSA-vm62-9jw3-c8w3: Gogs has an argument Injection in the built-in SSH server