5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-43396

GHSA ID

GHSA-cf72-vg59-4j4h

EPSS Score

0.2571%

CWE

CWE-79

Published

8/20/2024

Updated

8/21/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-43396

CVE-2024-43396: Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

Summary

The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.

Details

The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS.

PoC

POST /api/automation?q=%22%3E%3C%2Ftextarea%3E%3Cimg%20src%3Dx%20onerror%3Dalert(document.cookie)%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E

Impact

Stored XSS:

Fix

Added a Content Security Policy to all config pages on the web client, including the automation page
Used DOM scripting to construct all components on the config pages, including the automation page

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-43396

CVE-2024-43396:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-43396

GHSA ID

GHSA-cf72-vg59-4j4h

EPSS Score

0.2571%

CWE

CWE-79

Published

8/20/2024

Updated

8/21/2024

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
khoj	pip	< 1.15.0	1.15.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper output encoding when rendering user-controlled input in the automation configuration interface. The original implementation in generateAutomationRow used innerHTML with template literals containing unsanitized values from the automation object (automation.subject, automation.crontime, automation.query_to_run). This allowed attackers to inject arbitrary HTML/JS via the 'q' parameter, which was reflected in the rendered page. The commit 1c7a562 fixed this by switching to DOM scripting methods (createElement/textContent) that inherently prevent XSS through proper context-aware escaping. The presence of innerHTML with user-controlled data in the pre-patch code matches the XSS vulnerability described in CVE-2024-43396.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-43396: Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

Summary

Details

PoC

Impact

Fix

CVE-2024-43396:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.4

5.4

Technical Details

Basic Information

Basic Information

CVE-2024-43396: Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

Summary

Details

PoC

Impact

Fix

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI