CVE-2022-3019
- Source
- https://cve.org/CVERecord?id=CVE-2022-3019
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3019.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-3019
- Published
- 2022-08-29T05:30:12Z
- Modified
- 2026-04-10T04:47:31.920119Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Improper Access Control in tooljet/tooljet
- Details
-
The forgot password token basically just makes us capable of taking over the account of whoever comment in an app that we can see (bruteforcing comment id's might also be an option but I wouldn't count on it, since it would take a long time to find a valid one).
- Database specific
{ "cwe_ids": [ "CWE-284" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/3xxx/CVE-2022-3019.json", "cna_assigner": "@huntrdev" }- References
Affected packages
Git / github.com/tooljet/tooljet
Affected ranges
- Type
- GIT
- Repo
- https://github.com/tooljet/tooljet
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
Other
bump-version
fix-csp
fix-dyn-vars
fix-ec2
fix-image
fix-k8s
fix-mongo
fix-pg-queries
fix-setup
fix-webpack
temp-latest-develop
v0.*
v0.10.0
v0.10.0-hotfix.1
v0.10.1
v0.10.1-hotfix.1
v0.11.0
v0.12.0
v0.12.1
v0.13.0
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8.0
v0.8.1
v0.8.1-ee.1.0.0
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.3-hotfix.2
v1.*
v1.10.0
v1.14.0
v1.15.0
v1.16.0
v1.16.1
v1.17.0
v1.17.1
v1.17.2
v1.18.0
v1.19.0
v1.20.0
v1.20.1
v1.20.3
v1.20.4
v1.20.5
v1.21.0
v1.21.1
v1.22.0
v1.22.1
v1.22.2
v1.22.3
v1.22.4
v1.5.0
v1.5.1
v1.6.0