Home > Vulnerability Database > CVE-2022-23067

Mend.io Vulnerability Database

CVE-2022-23067

Date: May 18, 2022

Overview

ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.

Details

In the application ToolJet if the user opens the invite link/signup link and then clicks on any external links within the page it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.

PoC Details

Log in to the application. Once you are logged in, hover over to the shortcut of your username in the top right and click on manage users. Now click on invite user and fill in the details. Then press the create user button. Check the logs and copy the invitation URL and paste it. Turn on Intercept in Burp Suite (or any other web proxy). Now if you click the terms and condition option in the browser and check the intercepted request, you will see that the invitation token is being leaked in the referer header.

Affected Environments

v0.5.0 to v1.2.2

Prevention

Update version to v1.3.0 or later

Language: JS

Good to know:

8.8

Information Leak / Disclosure

CWE-200

Insufficient Information

NVD-CWE-noinfo

Upgrade Version

Upgrade to version v1.3.0

Learn More

CVSS v3.1
CVSS v2

Base Score:	8.8
Attack Vector (AV):	Network
Attack Complexity (AC):	Low
Privileges Required (PR):	None
User Interaction (UI):	Required
Scope (S):	Unchanged
Confidentiality (C):	High
Integrity (I):	High
Availability (A):	High

Base Score:	6.8
Access Vector (AV):	Network
Access Complexity (AC):	Medium
Authentication (AU):	None
Confidentiality (C):	Partial
Integrity (I):	Partial
Availability (A):	Partial
Additional information: