Typebot chatbot builder vulnerable to reflected XSS
CVE-2024-30264

Currently unrated

Key Information:

Vendor
Typebot
Vendor
CVE Published:
4 April 2024

Summary

Typebot is an open-source chatbot builder. A reflected cross-site scripting (XSS) in the sign-in page of typebot.io prior to version 2.24.0 may allow an attacker to hijack a user's account. The sign-in page takes the redirectPath parameter from the URL. If a user clicks on a link where the redirectPath parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user. Version 2.24.0 contains a patch for this issue.

References

https://github.com/baptisteArno/typebot.io/security/advis...
https://github.com/baptisteArno/typebot.io/commit/d0be29e...
https://github.com/baptisteArno/typebot.io/blob/v2.23.0/a...

Timeline

  • Vulnerability published

.
CVE-2024-30264 : Typebot chatbot builder vulnerable to reflected XSS | SecurityVulnerability.io