8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
52.0%
Hello there! Hope you are doing great!
While digging into your appβs source code, I noticed that the getComment()
function, that can be found on CommentController, had an IDOR, but when I went to an actual instance of Tooljet and tested it, I noticed that itβs way worse than that! π±
This function returns not only the commentβs data, but it also returns sensitive data about the user who created the comment
. This includes their passwordsβ hash and their "forgot password" token, which allows an attacker to simply just change a victim password and log into their account
.
1 => Create two different accounts. It works whether they are from the same tenant or not, but if so, you will be able to find the comment in the UI;
2 => While logged in as the victim, go to one of your apps and make a comment in it. Then, store the id of this comment for later;
3 => Now, unauthenticated, but impersonating the attacker, go to the forgot password functionality and put the e-mail of the victim, so that the forgot password token can be generated;
4 => Login as the attacker, and make a GET request to /api/comments/id-of-victim-comment-here
. It will return some data about the user, such as their email, hashed password, and also their forgot password token!
5 => Log out and go to /reset-password/forgot-password-token-here
. Define the new password you want for the victim account, and boom! Now you got access :)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
52.0%