CVE-2021-44042

Name of the Vulnerable Software and Affected Versions: UiPath Assistant version 21.4.4

Description: An issue was discovered where user-controlled data supplied to the --process-start argument of the URI handler for "uipath-assistant://" is not correctly encoded. This results in attacker-controlled content being injected into the error message displayed when the injected content does not match an existing process. A determined attacker could leverage this to execute JavaScript in the context of the Electron application.

Recommendations: For UiPath Assistant version 21.4.4, consider disabling the URI handler for "uipath-assistant://" as a temporary workaround until a patch is available. Restrict access to the --process-start argument to minimize the risk of exploitation. Avoid using the --process-start argument in the affected URI handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.