U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): UiPATH
  • Search Type: Search All
  • Match: Exact
  • CPE Name Search: false
There are 5 matching records.
Displaying matches 1 through 5.
Vuln ID Summary CVSS Severity

An issue was discovered in UiPath App Studio 21.4.4. There is a persistent XSS vulnerability in the file-upload functionality for uploading icons when attempting to create new Apps. An attacker with minimal privileges in the application can build their own App and upload a malicious file containing an XSS payload, by uploading an arbitrary file and modifying the MIME type in a subsequent HTTP request. This then allows the file to be stored and retrieved from the server by other users in the same organization.

Published: December 14, 2021; 1:15:08 PM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW

An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed (when the injected content does not match an existing process). A determined attacker could leverage this to execute JavaScript in the context of the Electron application.

Published: December 14, 2021; 1:15:08 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

UiPath Assistant 21.4.4 will load and execute attacker controlled data from the file path supplied to the --dev-widget argument of the URI handler for uipath-assistant://. This allows an attacker to execute code on a victim's machine or capture NTLM credentials by supplying a networked or WebDAV file path.

Published: December 14, 2021; 1:15:08 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH

UiPath Orchestrator before 2018.3.4 allows CSV Injection, related to the Audit export, Robot log export, and Transaction log export features.

Published: August 08, 2019; 9:15:11 AM -0400
V3.0: 5.5 MEDIUM
V2.0: 4.3 MEDIUM

UiPath Orchestrator through 2018.2.4 allows any authenticated user to change the information of arbitrary users (even administrators) leading to privilege escalation and remote code execution.

Published: April 11, 2019; 1:29:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM