CVE-2024-25639

Khoj is an application that creates personal AI agents. The Khoj Obsidian, Desktop and Web clients inadequately sanitize the AI model's response and user inputs. This can trigger Cross Site Scripting (XSS) via Prompt Injection from untrusted documents either indexed by the user on Khoj or read by Khoj from the internet when the user invokes the /online command. This vulnerability is fixed in 1.13.0.
Configurations

Configuration 1 (hide)

cpe:2.3:a:khoj:khoj:*:*:*:*:*:*:*:*

History

21 Nov 2024, 09:01

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 5.9
References () https://github.com/khoj-ai/khoj/commit/1dfd6d7391862d3564db7f4875216880b73cb6cc - Patch () https://github.com/khoj-ai/khoj/commit/1dfd6d7391862d3564db7f4875216880b73cb6cc - Patch
References () https://github.com/khoj-ai/khoj/security/advisories/GHSA-h2q2-vch3-72qm - Exploit, Vendor Advisory () https://github.com/khoj-ai/khoj/security/advisories/GHSA-h2q2-vch3-72qm - Exploit, Vendor Advisory

22 Aug 2024, 14:59

Type Values Removed Values Added
CPE cpe:2.3:a:khoj:khoj:*:*:*:*:*:*:*:*
CWE CWE-77
CWE-79
First Time Khoj
Khoj khoj
CVSS v2 : unknown
v3 : 5.9
v2 : unknown
v3 : 7.5
Summary
  • (es) Khoj es una aplicación que crea agentes personales de IA. Los clientes web, de escritorio y de Khoj Obsidian sanitizan inadecuadamente la respuesta del modelo de IA y las entradas de los usuarios. Esto puede activar Cross Site Scripting (XSS) mediante inyección rápida desde documentos que no son de confianza, ya sea indexados por el usuario en Khoj o leídos por Khoj desde Internet cuando el usuario invoca el comando /online. Esta vulnerabilidad se solucionó en 1.13.0.
References () https://github.com/khoj-ai/khoj/commit/1dfd6d7391862d3564db7f4875216880b73cb6cc - () https://github.com/khoj-ai/khoj/commit/1dfd6d7391862d3564db7f4875216880b73cb6cc - Patch
References () https://github.com/khoj-ai/khoj/security/advisories/GHSA-h2q2-vch3-72qm - () https://github.com/khoj-ai/khoj/security/advisories/GHSA-h2q2-vch3-72qm - Exploit, Vendor Advisory

08 Jul 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-08 15:15

Updated : 2024-11-21 09:01


NVD link : CVE-2024-25639

Mitre link : CVE-2024-25639

CVE.ORG link : CVE-2024-25639


JSON object : View

Products Affected

khoj

  • khoj
CWE
CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')