Release date: 2 December 2021

Security Update

• UiPath Assistant desktop application registers a URI handler to allow users to open it for specific links present in web applications. This functionality is used for sign-in, notifications, and error messages.
  • An issue was fixed in one command line parameter, the name of the process, which was reflected in the user interface of Assistant. The functionality allowed users to see details regarding the process name which encountered an error; however, it was possible for a malicious web page opening the desktop application to use arbitrary text which was displayed in the user interface of the Assistant.
  • A separate issue was fixed in one command line parameter identifying a widget. The functionality allowed users to develop and run Assistant widgets from the command line; however, it was possible for a malicious web page opening the desktop application to inject a remote file location of a widget using a network share.
  • The issues are not directly exploitable. They require opening a malicious link and confirming the browser dialog, asking the user to open a custom link with UiPath Assistant.

Additional information on the updates described above can be found on the following links:

• UiPath Assistant - Content injection via URI handler
• UiPath Assistant - Remote Code Execution

More details can be found in the advisory section of the UiPath Trust Portal.

Erratum 16 December 2021: added links to the UiPath Trust Portal advisory for these issues.