Tag

Cookie

1 brief RSS

Budibase XSS Leads to Account Takeover via JWT Theft

The `budibase:auth` cookie in Budibase is set without the `httpOnly` flag, enabling attackers with XSS to steal JWTs and gain persistent access to user accounts.

Budibase xss account takeover jwt cookie

2r 1t Jan 2, 2024