...
The attacker must have the ability to send the user a specially crafted URL and the user must click on the link.
The user must have configured a default Kasm Workspace in their profile settings OR the administrator must have configured a default workspace at the group level. These are both non-default configurations that require end-user or administrator action.
There are a large number of arguments for browsers that open up a lot of attack vectors, therefore, the vulnerability should be mitigated and/or patched.
This vulnerability was reported by Elephantastic Software.
Mitigation
The vulnerability can be mitigated by ensuring that users do not have a default workspaces image set in their profile settings and that administrators remove the default_image setting from all groups' group settings.
...