Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
tooljet vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2022-2631
Improper Access Control in GitHub repository tooljet/tooljet prior to v1.19.0.
Tooljet Tooljet
NA
CVE-2022-4111
Unrestricted file size limit can lead to DoS in tooljet/tooljet <1.27 by allowing a logged in malicious user to upload profile pictures over 2MB.
Tooljet Tooljet
3.5
CVSSv2
CVE-2022-23068
ToolJet versions v0.6.0 to v1.10.2 are vulnerable to HTML injection where an attacker can inject malicious code inside the first name and last name field while inviting a new user which will be reflected in the invitational e-mail.
Tooljet Tooljet
NA
CVE-2022-3422
Account Takeover :: when see the info i can see the hash pass i can creaked it ............... Account Takeover :: when see the info i can see the forgot_password_token the hacker can send the request and changed the pass
Tooljet Tooljet
NA
CVE-2022-3019
The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one).
Tooljet Tooljet
6
CVSSv2
CVE-2022-2037
Excessive Attack Surface in GitHub repository tooljet/tooljet prior to v1.16.0.
Tooljet Tooljet
6.8
CVSSv2
CVE-2022-23067
ToolJet versions v0.5.0 to v1.2.2 are vulnerable to token leakage via Referer header that leads to account takeover . If the user opens the invite link/signup link and then clicks on any external links within the page, it leaks the password set token/signup token in the referer h...
Tooljet Tooljet
NA
CVE-2022-3348
Just like in the previous report, an attacker could steal the account of different users. But in this case, it's a little bit more specific, because it is needed to be an editor in the same app as the victim.
Tooljet Tooljet
NA
CVE-2022-27979
A cross-site scripting (XSS) vulnerability in ToolJet v1.6.0 allows malicious users to execute arbitrary web scripts or HTML via a crafted payload injected into the Comment Body component.
Tooljet Tooljet 1.6.0
1 Github repository
NA
CVE-2022-27978
Tooljet v1.6 does not properly handle missing values in the API, allowing malicious users to arbitrarily reset passwords via a crafted HTTP request.
Tooljet Tooljet 1.6
1 Github repository
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-38028
CVE-2024-32406
CVE-2024-25624
IMAP
CVE-2024-2310
CVE-2024-0874
CVE-2024-20359
XXE
remote code execution
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started