An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed (when the injected content does not match an existing process). A determined attacker could leverage this to execute JavaScript in the context of the Electron application.
Add your gear to cvedb and we'll alert you only when uipath ships something exploited.
Check my exposure →This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.