Vulnerability Details CVE-2024-30264
Typebot is an open-source chatbot builder. A reflected cross-site scripting (XSS) in the sign-in page of typebot.io prior to version 2.24.0 may allow an attacker to hijack a user's account. The sign-in page takes the `redirectPath` parameter from the URL. If a user clicks on a link where the `redirectPath` parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user. Version 2.24.0 contains a patch for this issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 68.3%
CVSS Severity
CVSS v3 Score 8.1
References
- https://github.com/baptisteArno/typebot.io/blob/v2.23.0/apps/builder/src/features/auth/components/SignInForm.tsx#L35
- https://github.com/baptisteArno/typebot.io/commit/d0be29e25732c410b561cbc3c5607c3c1d4b6c8e
- https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-mx2f-9mcr-8j73
- https://github.com/baptisteArno/typebot.io/blob/v2.23.0/apps/builder/src/features/auth/components/SignInForm.tsx#L35
- https://github.com/baptisteArno/typebot.io/commit/d0be29e25732c410b561cbc3c5607c3c1d4b6c8e
- https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-mx2f-9mcr-8j73
Products affected by CVE-2024-30264
-
cpe:2.3:a:typebot:typebot:2.0.0
-
cpe:2.3:a:typebot:typebot:2.1.0
-
cpe:2.3:a:typebot:typebot:2.1.1
-
cpe:2.3:a:typebot:typebot:2.1.2
-
cpe:2.3:a:typebot:typebot:2.10.0
-
cpe:2.3:a:typebot:typebot:2.10.1
-
cpe:2.3:a:typebot:typebot:2.10.2
-
cpe:2.3:a:typebot:typebot:2.10.3
-
cpe:2.3:a:typebot:typebot:2.10.4
-
cpe:2.3:a:typebot:typebot:2.10.5
-
cpe:2.3:a:typebot:typebot:2.11.0
-
cpe:2.3:a:typebot:typebot:2.11.1
-
cpe:2.3:a:typebot:typebot:2.11.2
-
cpe:2.3:a:typebot:typebot:2.11.3
-
cpe:2.3:a:typebot:typebot:2.11.4
-
cpe:2.3:a:typebot:typebot:2.11.5
-
cpe:2.3:a:typebot:typebot:2.11.6
-
cpe:2.3:a:typebot:typebot:2.11.7
-
cpe:2.3:a:typebot:typebot:2.11.8
-
cpe:2.3:a:typebot:typebot:2.11.9
-
cpe:2.3:a:typebot:typebot:2.12.0
-
cpe:2.3:a:typebot:typebot:2.12.1
-
cpe:2.3:a:typebot:typebot:2.12.2
-
cpe:2.3:a:typebot:typebot:2.12.3
-
cpe:2.3:a:typebot:typebot:2.13.0
-
cpe:2.3:a:typebot:typebot:2.13.1
-
cpe:2.3:a:typebot:typebot:2.13.2
-
cpe:2.3:a:typebot:typebot:2.13.3
-
cpe:2.3:a:typebot:typebot:2.13.4
-
cpe:2.3:a:typebot:typebot:2.13.5
-
cpe:2.3:a:typebot:typebot:2.14.0
-
cpe:2.3:a:typebot:typebot:2.14.1
-
cpe:2.3:a:typebot:typebot:2.15.0
-
cpe:2.3:a:typebot:typebot:2.15.1
-
cpe:2.3:a:typebot:typebot:2.15.2
-
cpe:2.3:a:typebot:typebot:2.16.0
-
cpe:2.3:a:typebot:typebot:2.17.0
-
cpe:2.3:a:typebot:typebot:2.17.1
-
cpe:2.3:a:typebot:typebot:2.17.2
-
cpe:2.3:a:typebot:typebot:2.18.0
-
cpe:2.3:a:typebot:typebot:2.18.1
-
cpe:2.3:a:typebot:typebot:2.18.2
-
cpe:2.3:a:typebot:typebot:2.18.3
-
cpe:2.3:a:typebot:typebot:2.18.4
-
cpe:2.3:a:typebot:typebot:2.19.0
-
cpe:2.3:a:typebot:typebot:2.19.1
-
cpe:2.3:a:typebot:typebot:2.2.0
-
cpe:2.3:a:typebot:typebot:2.2.1
-
cpe:2.3:a:typebot:typebot:2.2.9
-
cpe:2.3:a:typebot:typebot:2.20.0
-
cpe:2.3:a:typebot:typebot:2.21.0
-
cpe:2.3:a:typebot:typebot:2.21.1
-
cpe:2.3:a:typebot:typebot:2.21.2
-
cpe:2.3:a:typebot:typebot:2.21.3
-
cpe:2.3:a:typebot:typebot:2.22.0
-
cpe:2.3:a:typebot:typebot:2.23.0
-
cpe:2.3:a:typebot:typebot:2.3.0
-
cpe:2.3:a:typebot:typebot:2.4.0
-
cpe:2.3:a:typebot:typebot:2.5.0
-
cpe:2.3:a:typebot:typebot:2.5.1
-
cpe:2.3:a:typebot:typebot:2.6.0
-
cpe:2.3:a:typebot:typebot:2.6.1
-
cpe:2.3:a:typebot:typebot:2.6.2
-
cpe:2.3:a:typebot:typebot:2.7.0
-
cpe:2.3:a:typebot:typebot:2.7.1
-
cpe:2.3:a:typebot:typebot:2.8.0
-
cpe:2.3:a:typebot:typebot:2.8.1
-
cpe:2.3:a:typebot:typebot:2.8.10
-
cpe:2.3:a:typebot:typebot:2.8.11
-
cpe:2.3:a:typebot:typebot:2.8.12
-
cpe:2.3:a:typebot:typebot:2.8.2
-
cpe:2.3:a:typebot:typebot:2.8.3
-
cpe:2.3:a:typebot:typebot:2.8.4
-
cpe:2.3:a:typebot:typebot:2.8.5
-
cpe:2.3:a:typebot:typebot:2.8.6
-
cpe:2.3:a:typebot:typebot:2.8.7
-
cpe:2.3:a:typebot:typebot:2.8.8
-
cpe:2.3:a:typebot:typebot:2.8.9
-
cpe:2.3:a:typebot:typebot:2.9.0
-
cpe:2.3:a:typebot:typebot:2.9.1
-
cpe:2.3:a:typebot:typebot:2.9.2
-
cpe:2.3:a:typebot:typebot:2.9.3
-
cpe:2.3:a:typebot:typebot:2.9.4