Mend Vulnerability Database
What is a CVE vulnerability ID? What is a WS vulnerability ID?New vulnerability? Tell us about it!
We found results for “”
Date: May 18, 2022
OverviewToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.
DetailsIn the application ToolJet if the user opens the invite link/signup link and then clicks on any external links within the page it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.
PoC DetailsLog in to the application. Once you are logged in, hover over to the shortcut of your username in the top right and click on manage users. Now click on invite user and fill in the details. Then press the create user button. Check the logs and copy the invitation URL and paste it. Turn on Intercept in Burp Suite (or any other web proxy). Now if you click the terms and condition option in the browser and check the intercepted request, you will see that the invitation token is being leaked in the referer header.
Affected Environmentsv0.5.0 to v1.2.2
PreventionUpdate version to v1.3.0 or later
Good to know:
Information Leak / DisclosureCWE-200
|Attack Vector (AV):||Network|
|Attack Complexity (AC):||Low|
|Privileges Required (PR):||None|
|User Interaction (UI):||Required|
|Access Vector (AV):||Network|
|Access Complexity (AC):||Medium|