Overview
ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail.
Details
The application ToolJet is vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail.
PoC Details
Log in to the application. Once you are logged in, hover over to the shortcut of your username in the top right and click on manage users. Now click on invite user. Turn on Intercept in Burp Suite (or any other web proxy). Fill in the details and intercept the request in Burp Suite. Once the request is intercepted, edit the first name with the payload (found in POC Code section) and forward the request.
As the victim, open the email and click on the link and you’ll see the html page with our payload.
PoC Code
Click <a href='http://evil.com'>here</a> to reset your password.<div style='display:none'>
Affected Environments
v0.6.0 to v1.10.2
Prevention
Update version to v1.11.0 or later