2021.10.1
An issue was fixed in the way uploaded icons are handled. The issue allowed a user with the rights to create an app to upload an HTML code instead of a valid image. This behavior could have allowed an attacker to create a malicious URL used to download the image to execute arbitrary JavaScript code.
The issue was not directly exploitable in UiPath Apps, as it required the attacker to have the rights to create an app and send the malicious icon URL to other users in order to exploit it. The vulnerability was not triggered by just browsing the application with the malicious icon.
More details can be found in the advisory section of the UiPath Trust Portal.
- Previously, when using Apps in the Automation Suite offline environment, some components were not loaded properly. This is now fixed and all components are loaded as expected.
- Previously, when assigning an app variable in the Assign file to app variable property in the Get File from Storage bucket rule, the app variable was not saved. This is now fixed and the variable is saved.
