Try UiPath Free
Try UiPath Free
All
uipath.com
Forum
Docs
Close

Close

Security

UiPath Security Advisories & Bulletins

UIPATH PRODUCT SECURITY

Please find a list of product security advisories for UiPath below.

  • UIPS-2021-001 - Security Advisory - UiPath Assistant - Content injection via URI handler

    Title: UiPath Assistant - Content injection via URI handler

    Publish Date: Dec 7, 2021

    Version: 1.0

    General Information

    Affected Versions:

    • Assistant 2021.4 to 2021.4.5

    • Assistant 2021.10 to 2021.10.3

    CVSS Score: 4.7

    Details: An issue was fixed in one command line parameter, the process name, which was reflected in the user interface of Assistant. The functionality allowed users to see details regarding the process name when they encountered an error. It was possible for a malicious web page to open the desktop application and to input arbitrary text which was displayed in the user interface of the Assistant.

    Release Notes:

    Download Links:

    Suggested Actions:

    Update to latest Assistant patches available: 2021.4 and 2021.10

    The issue is not directly exploitable, it requires opening a malicious link and confirming the browser dialog asking the user to open a custom link with UiPath Assistant.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

  • UIPS-2021-002 - Security Advisory - UiPath Assistant - Remote Code Execution

    Title: UiPath Assistant - Remote Code Execution

    Publish Date: Dec 7, 2021

    Version: 1.0

    General Information

    Affected Versions:

    • Assistant 2021.4 to 2021.4.5

    • Assistant 2021.10 to 2021.10.3

    CVSS Score: 8.3

    Details:

    An issue was fixed in the processing of user-supplied widget identification command line parameters.

    The functionality allowed users to develop and run Assistant widgets from the command line.

    It was possible for a malicious web page to open the desktop application and to inject a remote file location of a widget using a network share.

    Release Notes:

    Download Links:

    Suggested Actions

    Update to latest Assistant patches available: 2021.4 and 2021.10

    The issue is not directly exploitable, it requires opening a malicious link and confirming the browser dialog asking the user to open a custom link with UiPath Assistant.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

  • UIPS-2021-003 - Security Advisory - UiPath Apps Studio - Persistent Cross-Site Scripting

    Title: UiPath Apps Studio - Persistent Cross-Site Scripting

    Publish Date: Dec 7, 2021

    Version: 1.0

    General Information

    Affected Versions:

    • Automation Suite 2021.10.0

    • Automation Cloud

    CVSS Score: 7.9

    Details:

    An issue was fixed in the way the uploaded icons are handled. It was possible for a malicious user with the rights to create an App to upload HTML code instead of a valid image. This might allow an attacker to create a malicious URL used to download the image to execute arbitrary JavaScript code.

    Release Notes:

    Download Links:

    Suggested Actions

    The issue was patched in the latest version available in Automation Cloud and on Automation Suite 2021.10.1.

    The issue was not directly exploitable in the UiPath Apps, it required the attacker to have the rights to create an App and send the malicious icon URL to other users to exploit it. The vulnerability was not triggered by just browsing the application with the malicious icon.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

  • UIPS-2022-001 - Security Advisory - UiPath Orchestrator - Robot Account Takeover

    Title: UiPath Orchestrator - Robot Account Takeover

    Publish Date: April 7, 2022 

    Version: 1.0

    General Information

    Affected Versions:

    • Orchestrator 2019.10 to 2019.10.22

    • Orchestrator 2020.10 to 2020.10.15

    • Orchestrator 2021.4 to 2021.4.3

    • Orchestrator 2021.10 to 2021.10.3

    • Orchestrator within Automation Suite 2021.10 to 2021.10.3

    • Automation Cloud

    CVSS Score: 8.3

    Details:

    The vulnerability allows an attacker with privileged access to a robot to retrieve the LicenseKey (MachineKey) of other robots within the same tenant by brute forcing API calls to Orchestrator. This would theoretically allow the attacker to access resources restricted only to that robot.

    Release Notes:

    Download Links:

    Suggested Actions

    The issue was patched in the latest version available in Automation Cloud, Automation Suite, and all supported Orchestrator versions.

    If you have any questions please send an email to security.notifications@uipath.com or submit a ticket here.

Need to Report a Security Issue to UiPath?