CVE-2022-23067 HIGH

CVE-2022-23067: ToolJet - Token Leakage via Referer Header

Vendor Tooljet

Product ToolJet

Weakness CWE-200 · Info exposure

Published May 18, 2022

Last update September 16, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.

Key dates

02Disclosure timeline

May 18, 2022 CVE published

September 16, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2022-23067 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

Identifiers

CVE CVE-2022-23067

CWE CWE-200

CVSS 8.8 / HIGH

Affected versions

Vendor Tooljet

Product ToolJet

Affected ≥ 0.5.0 and < unspecified

Vendor Tooljet

Product ToolJet

Affected ≥ unspecified and ≤ 1.2.2

CVE-2022-23067: ToolJet - Token Leakage via Referer Header

01Description

02Disclosure timeline

03References

04Related CVE