Khoj Obsidian Vulnerable to Cross Site Scripting (XSS) via Prompt Injection

CVE-2024-25639

7.5HIGH

Key Information

Vendor: Khoj-ai
Status: Khoj
Vendor: CVE Published:; 8 July 2024

Summary

Khoj is an application that creates personal AI agents. The Khoj Obsidian, Desktop and Web clients inadequately sanitize the AI model's response and user inputs. This can trigger Cross Site Scripting (XSS) via Prompt Injection from untrusted documents either indexed by the user on Khoj or read by Khoj from the internet when the user invokes the /online command. This vulnerability is fixed in 1.13.0.

Affected Version(s)

khoj = < 1.13.0

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 8, 2024
Vulnerability Reserved.
Feb 8, 2024

Collectors

NVD DatabaseMitre Database