Brennantm

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.39.0 Description Emissary, a P2P based data-driven workflow engine, was found to have a stored cross-site scripting (XSS) issue. Prior to version 8.39.0, Mustache navigation templates interpolated configuration-controlled link values directly into `href` attributes without validating the URL scheme. An administrator with the ability to modify the `navItems` configuration could inject `javascript:` URIs, leading to XSS against authenticated users viewing the Emissary web interface. The vulnerable code is located in `nav.mustache` (line 10), where the `{{link}}` value is rendered without scheme validation. An attacker could set a navigation item's link to `javascript:alert(document.cookie)` to execute arbitrary JavaScript in the victim's browser context. Exploitation requires administrative access and user interaction (clicking the malicious link). The impact includes potential session hijacking via cookie theft and the ability to perform actions on behalf of the victim user. Recommendations Upgrade to version 8.39.0 or later. If upgrading is not immediately possible, audit the `navItems` configuration to ensure all link values use only `http://`, `https://`, or relative (`/`) URL schemes.

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.39.0 Description Emissary is a P2P based data-driven workflow engine. Prior to version 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values, including the `PLACE NAME` parameter, with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters such as ;, |, $, `, (, ), etc., to pass through into /bin/sh -c command execution. Recommendations Update to version 8.39.0 or later.

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.39.0 Description Emissary is a P2P based data-driven workflow engine. Prior to version 8.39.0, the configuration API endpoint `/api/configuration/{name}` validated configuration names using a blacklist approach that checked for , /, .., and trailing .. This validation could be bypassed using URL-encoded variants, double-encoding, or Unicode normalization, potentially leading to path traversal and the ability to read configuration files outside the intended directory. Recommendations Update to version 8.39.0 or later.

Name of the Vulnerable Software and Affected Versions Emissary versions prior to 8.39.0 Description Emissary is a P2P based data-driven workflow engine. Prior to version 8.39.0, GitHub Actions workflow files contained shell injection points. User-controlled `workflow dispatch` inputs were interpolated directly into shell commands via the `${{ }}` expression syntax. An attacker with repository write access could inject arbitrary shell commands, potentially leading to repository poisoning and supply chain compromise affecting downstream users. Recommendations Update to version 8.39.0 or higher.