Tooljet: >> Tooljet >> 1.10.0 Security Vulnerabilities
Unrestricted file size limit can lead to DoS in tooljet/tooljet <1.27 by allowing a logged in attacker to upload profile pictures over 2MB.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-11-22
Account Takeover :: when see the info i can see the hash pass i can creaked it ............... Account Takeover :: when see the info i can see the forgot_password_token the hacker can send the request and changed the pass
CVSS Score
9.8
EPSS Score
0.001
Published
2022-10-07
Just like in the previous report, an attacker could steal the account of different users. But in this case, it's a little bit more specific, because it is needed to be an editor in the same app as the victim.
CVSS Score
6.5
EPSS Score
0.001
Published
2022-09-28
The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one).
CVSS Score
7.1
EPSS Score
0.002
Published
2022-08-29
Improper Access Control in GitHub repository tooljet/tooljet prior to v1.19.0.
CVSS Score
9.8
EPSS Score
0.001
Published
2022-08-02
Excessive Attack Surface in GitHub repository tooljet/tooljet prior to v1.16.0.
CVSS Score
9.8
EPSS Score
0.003
Published
2022-06-09
ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-05-18