Account Takeover in tooljet/tooljet
Reported on
Aug 28th 2022
Description
hacker can invite any user to team and with the bug i report it before can accept the invitation ..... hacker can add user in group to give them new permission in team...... when hacker visit the team can see private info for victim as and the hash password many token and more information......
Proof of Concept
https://drive.google.com/file/d/1fKZ-T0peu2h9yIHNqqsteKn50nbpRCLZ/view?usp=sharing
Impact
Account Takeover :: when see the info i can see the hash pass i can creaked it ............... Account Takeover :: when see the info i can see the forgot_password_token the hacker can send the request and changed the pass
SECURITY.md exists
a year ago
We will still follow up with another nudge to the maintainer. Thank you for your patience, and I am sure we will hear from them soon 👍
https://drive.google.com/file/d/1fKZ-T0peu2h9yIHNqqsteKn50nbpRCLZ/view?usp=sharing my bug not same
@admin you make my report duplicate it is not duplicate it is anther bug it is anther account takeover can you see the POC video You should hurry because the report has become public anyone can see the report and the bug
Hello, we do side with the judgement of the maintainer on their assessment of the report. We do not take specific positions on the reports but believe the maintainers are best placed to qualify the report.
If you still do not agree, I would recommend politely getting in touch with the maintainer to discuss further :)
@admin - It has been a mistake from our end. It is not a duplicate issue. Is it a way to revert the duplicate tag?
i can report this bug agine and you shoud fex it in asap
This report has now been reset to its previous state as requested :)
The CVE has already been published @ahmed8magdy what do you want to do?