CVE-2022-3019
First published: Mon Aug 29 2022(Updated: )
The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one).
Credit: security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tooljet Tooljet | <1.23.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2022-3019.
What is the severity of CVE-2022-3019?
CVE-2022-3019 has a severity rating of 8.8 (high).
What software is affected by CVE-2022-3019?
CVE-2022-3019 affects Tooljet Tooljet versions up to 1.23.0.
How can the vulnerability be exploited?
The vulnerability can be exploited by using the forgot password token to take over the account of a user who has commented in the app.
Is brute-forcing comment IDs a possible exploitation method for this vulnerability?
While brute-forcing comment IDs might be an option, it is not reliable as it would take a long time to find a valid one.
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- agent/type
- agent/event
- vendor/tooljet
- canonical/tooljet tooljet