Headline
CVE-2022-23067: Fix token present in referrer header (#2413) · ToolJet/ToolJet@eacbfc4
ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer header. Using these tokens the attacker can access the user’s account.
@@ -1,12 +1,12 @@ import React from 'react’; import { Router, Route } from 'react-router-dom’; import { Router, Route, Redirect } from 'react-router-dom’; import { history } from '@/_helpers’; import { authenticationService, tooljetService } from '@/_services’; import { PrivateRoute } from '@/_components’; import { HomePage } from '@/HomePage’; import { LoginPage } from '@/LoginPage’; import { SignupPage } from '@/SignupPage’; import { InvitationPage } from '@/InvitationPage’; import { ConfirmationPage } from '@/ConfirmationPage’; import { Authorize } from '@/Oauth2’; import { Authorize as Oauth } from '@/Oauth’; import { Editor, Viewer } from '@/Editor’; @@ -118,7 +118,18 @@ class App extends React.Component { <Route path="/signup" component={SignupPage} /> <Route path="/forgot-password" component={ForgotPassword} /> <Route path="/reset-password" component={ResetPassword} /> <Route path="/invitations/:token" component={InvitationPage} /> <Route path="/invitations/:token" render={(props) => ( <Redirect to={{ pathname: '/confirm’, state: { token: props.match.params.token, search: props.location.search }, }} /> )} /> <Route path="/confirm" component={ConfirmationPage} /> <PrivateRoute exact path="/apps/:id"