CVE-2022-23067: Infoleak
First published: Wed May 18 2022(Updated: )
ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.
Credit: vulnerabilitylab@mend.io
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tooljet Tooljet | >=0.5.0<=1.2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2022-23067.
What is the severity of CVE-2022-23067?
The severity of CVE-2022-23067 is high with a value of 8.8.
Which versions of ToolJet are affected by CVE-2022-23067?
ToolJet versions v0.5.0 to v1.2.2 are affected by CVE-2022-23067.
How does CVE-2022-23067 work?
CVE-2022-23067 allows for token leakage via the Referer header, which can lead to account takeover.
How can I fix CVE-2022-23067?
Updating ToolJet to a version higher than v1.2.2 will fix the vulnerability.
- collector/nvd-index
- vendor/tooljet
- canonical/tooljet tooljet
- version/tooljet tooljet/0.5.0
- version/tooljet tooljet/1.2.2