Chris Grieger

**Name of the Vulnerable Software and Affected Versions** Tooljet version 1.6 **Description** The issue arises from the improper handling of missing values in the API, allowing attackers to send a crafted HTTP request to arbitrarily reset passwords. **Recommendations** For Tooljet version 1.6, consider restricting access to the password reset functionality until a proper fix is implemented to handle missing values in the API. As a temporary workaround, avoid using the password reset feature via the API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ToolJet version 1.6.0 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Comment Body` component. **Recommendations** For ToolJet version 1.6.0, consider disabling the `Comment Body` component until a patch is available to prevent exploitation.