CVE-2022-23068 : Security Advisory and Response

ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection, allowing attackers to inject malicious code into the first and last name fields while inviting a new user.

Understanding CVE-2022-23068

This CVE discloses a vulnerability in ToolJet versions v0.6.0 to v1.10.2 that enables HTML injection during the user invitation process.

What is CVE-2022-23068?

ToolJet versions v0.6.0 to v1.10.2 are prone to HTML injection, which could be exploited by malicious actors to insert harmful code in the first and last name fields during the new user invitation.

The Impact of CVE-2022-23068

The impact of this vulnerability is rated as MEDIUM severity with a CVSS base score of 5.4. Attack complexity is low, requiring network access and user interaction, with changed scope and low impacts on confidentiality and integrity.

Technical Details of CVE-2022-23068

This section covers the specifics of the vulnerability.

Vulnerability Description

The vulnerability allows attackers to perform HTML injection by injecting malicious code into the first and last name fields when inviting a new user. This injected code gets reflected in the invitational e-mail.

Affected Systems and Versions

ToolJet versions v0.6.0 to v1.10.2 are confirmed to be affected by this vulnerability.

Exploitation Mechanism

Attackers can exploit this vulnerability by injecting malicious code into the name fields during the user invitation process.

Mitigation and Prevention

To address CVE-2022-23068 and enhance security, consider the following steps.

Immediate Steps to Take

Update ToolJet to version v1.11.0 or later to patch the HTML injection vulnerability.

Long-Term Security Practices

Regularly monitor and apply security updates to your software to prevent similar vulnerabilities.

Patching and Updates

Stay informed about security patches and updates released by ToolJet to protect your systems from potential threats.