CVE-2024-30264

CRITICAL EPSS 53.1%
Published Apr 4, 20242y ago · Modified Jun 17, 20261w ago
9.3 CVSS 3.1
Critical
Find Similar
Published Apr 4, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

Typebot is an open-source chatbot builder. A reflected cross-site scripting (XSS) in the sign-in page of typebot.io prior to version 2.24.0 may allow an attacker to hijack a user's account. The sign-in page takes the `redirectPath` parameter from the URL. If a user clicks on a link where the `redirectPath` parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user. Version 2.24.0 contains a patch for this issue.

CVSS Details

Base Score
9.3
Exploitability
2.8
Impact
5.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
53.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 1

VendorProductVersionRange
typebottypebot* <2.24.0

References 3

  • github.com https://github.com/baptisteArno/typebot.io/blob/v2.23.0/apps/builder/src/features/auth/components/SignInForm.tsx#L35
    Product
  • github.com https://github.com/baptisteArno/typebot.io/commit/d0be29e25732c410b561cbc3c5607c3c1d4b6c8e
    Patch
  • github.com https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-mx2f-9mcr-8j73
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/baptisteArno/typebot.io/commit/d0be29e25732c410b561cbc3c5607c3c1d4b6c8e
    Patch