CVE-2024-43396

Name of the Vulnerable Software and Affected Versions Khoj versions prior to 1.15.0

Description The Automation feature in Khoj allows users to insert arbitrary HTML inside task instructions, resulting in a Stored XSS. The q parameter for the "/api/automation" endpoint does not get correctly sanitized when rendered on the page, allowing users to inject arbitrary HTML/JS.

Recommendations For versions prior to 1.15.0, update to version 1.15.0 to fix the vulnerability. As a temporary workaround, consider restricting access to the /api/automation endpoint until the update is applied. Additionally, avoid using the q parameter in the affected API endpoint until the issue is resolved.