CVE-2024-30264

Name of the Vulnerable Software and Affected Versions Typebot versions prior to 2.24.0

Description A reflected cross-site scripting (XSS) issue in the sign-in page of typebot.io may allow an attacker to hijack a user's account. The sign-in page takes the redirectPath parameter from the URL. If a user clicks on a link where the redirectPath parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges of the user.

Recommendations For versions prior to 2.24.0, update to version 2.24.0 to resolve the issue. As a temporary workaround, consider restricting the use of the redirectPath parameter in the sign-in page to minimize the risk of exploitation. Avoid using the redirectPath parameter with a javascript scheme in the URL until the issue is resolved.