Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-3019: fix: hide user data from comments module · ToolJet/ToolJet@45e0d33

The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id’s might also be an option but I wouldn’t count on it, since it would take a long time to find a valid one).

CVE

@@ -6,7 +6,7 @@ import { CommentRepository } from '…/repositories/comment.repository’; import { CreateCommentDto, UpdateCommentDto } from '…/dto/comment.dto’; import { groupBy, head } from 'lodash’; import { EmailService } from './email.service’; import { Repository } from 'typeorm’; import { createQueryBuilder, Repository } from 'typeorm’; import { AppVersion } from 'src/entities/app_version.entity’; import { User } from 'src/entities/user.entity’; import { CommentUsers } from 'src/entities/comment_user.entity’; @@ -23,7 +23,7 @@ export class CommentService { @InjectRepository(CommentUsers) private commentUsersRepository: Repository<CommentUsers>, private emailService: EmailService ) {} ) { }
public async createComment(createCommentDto: CreateCommentDto, user: User): Promise<Comment> { try { @@ -64,15 +64,17 @@ export class CommentService { }
public async getComments(threadId: string, appVersionsId: string): Promise<Comment[]> { return await this.commentRepository.find({ where: { return await createQueryBuilder(Comment, ‘comment’) .innerJoin('comment.user’, ‘user’) .addSelect(['user.id’, 'user.firstName’, ‘user.lastName’]) .andWhere('comment.threadId = :threadId’, { threadId, }) .andWhere('comment.appVersionsId = :appVersionsId’, { appVersionsId, }, order: { createdAt: 'ASC’, }, }); }) .orderBy('comment.createdAt’, ‘ASC’) .getMany(); }
public async getOrganizationComments(organizationId: string, appVersionsId: string): Promise<Comment[]> { @@ -93,16 +95,22 @@ export class CommentService { isResolved = false, appVersionsId: string ): Promise<Comment[]> { const comments = await this.commentRepository.find({ where: { thread: { appId, isResolved }, const comments = await createQueryBuilder(Comment, ‘comment’) .innerJoin('comment.user’, ‘user’) .addSelect(['user.id’, 'user.firstName’, ‘user.lastName’]) .innerJoin('comment.thread’, ‘thread’) .addSelect([‘thread.id’]) .andWhere('thread.appId = :appId’, { appId, }) .andWhere('thread.isResolved = :isResolved’, { isResolved, }) .andWhere('comment.appVersionsId = :appVersionsId’, { appVersionsId, }, order: { createdAt: 'DESC’, }, relations: [‘thread’], }); }) .orderBy('comment.createdAt’, ‘DESC’) .getMany();
const groupedComments = groupBy(comments, ‘threadId’);

Related news

Microsoft Releases Workaround for ‘One-Click’ 0Day Under Active Attack

Threat actors already are exploiting vulnerability, dubbed ‘Follina’ and originally identified back in April, to target organizations in Russia and Tibet, researchers said.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907