Headline
CVE-2022-27979: security-advisories/20220321-tooljet-xss.md at main · fourcube/security-advisories
A cross-site scripting (XSS) vulnerability in ToolJet v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component.
Advisory
Software: ToolJet
Vendor: ToolJet Solutions Inc.
Affected Versions: < 1.11.0
CVE: CVE-2022-27979
CWE IDs: 79
Reporter: Chris Grieger
Description
https://github.com/ToolJet/ToolJet
ToolJet is an open-source low-code framework to build and deploy internal tools quickly without much effort from the engineering teams. You can connect to your data sources, such as databases (like PostgreSQL, MongoDB, Elasticsearch, etc), API endpoints (ToolJet supports importing OpenAPI spec & OAuth2 authorization), and external services (like Stripe, Slack, Google Sheets, Airtable) and use our pre-built UI widgets to build internal tools.
Through improper sanitization of user input the the application an authenticated attacker to perform a stored Cross-site Scripting (XSS) attack on other users through the Comment component of the ToolJet Job Editor.
POC
Authenticated users can add a comment to a ToolJet app. When a users activates the comments ‘submenu’ the malicous javascript payload will be executed.
Following is an example that demonstrates the vulnerability.
<img style="visibility:hidden" onerror="console.log`xss`" src="__">
Mitigation
Update ToolJet to a version >= 1.11.0.
Timeline
Date
Action
2022/03/21
Contacted developers with security finding, POC and mitigation note.
2022/04/22
Fix version released.