Agentic artificial intelligence platform Yellow.ai's customer service chatbot, which is used by Sony, Domino's, and Hyundai, has been impacted by a reflected cross-site scripting flaw, which could be exploited to compromise session cookies and take over accounts, Cybernews reports.

Intrusions involving the vulnerability could be conducted by providing a nefarious prompt that would generate an HTML answer containing hidden instructions for arbitrary code execution, followed by the execution of a malicious payload and the delivery of a user's session cookies, according to Cybernews researchers.

In a subsequent conversation with a human support agent, attackers could execute the previously generated HTML code to pilfer cookies that would eventually result in the breach of Yellow.ai's customer support systems, researchers added.