Advisories for Pypi/Khoj package

2024

khoj has an IDOR in subscription management allows unauthorized subscription modifications

An Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the request.

Khoj Vulnerable to Stored Cross-site Scripting In Automate (Preview feature)

The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS.