Overview
ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.
Details
In the application ToolJet if the user opens the invite link/signup link and then clicks on any external links within the page it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.
PoC Details
Log in to the application. Once you are logged in, hover over to the shortcut of your username in the top right and click on manage users. Now click on invite user and fill in the details. Then press the create user button. Check the logs and copy the invitation URL and paste it. Turn on Intercept in Burp Suite (or any other web proxy). Now if you click the terms and condition option in the browser and check the intercepted request, you will see that the invitation token is being leaked in the referer header.
Affected Environments
v0.5.0 to v1.2.2
Prevention
Update version to v1.3.0 or later