Lifecycle Timeline
1DescriptionCVE.org
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.
Analysis
TypeBot is a chatbot builder tool. Versions 3.15.2 and prior contain a critical stored XSS vulnerability in the app.typebot.io profile picture upload form. The application fails to sanitize or restrict SVG/XML-based uploads and directly renders them when accessed through the domain. By uploading a crafted malicious SVG file containing embedded JavaScript, an attacker will execute arbitrary JavaScript code. This vulnerability directly enables stored XSS exploitation because the payload is persistently stored on your infrastructure (app.typebot.io) and accessible from a public-facing, permanent link. Stored XSS via malicious SVG uploads to app.typebot.io allows attackers to execute arbitrary JavaScript in victims' browsers, enabling session/token theft, account takeover, and exfiltration of sensitive user data. This issue has been fixed in version 3.16.0.
More in Typebot Io
View allServer-Side Request Forgery in Typebot chatbot builder versions 3.15.2 and prior allows unauthenticated remote attackers
Unauthenticated cross-tenant file upload in Typebot.io chatbot builder versions 3.16.1 and earlier allows anonymous visi
Stored cross-site scripting in Typebot chatbot builder versions 3.15.2 and prior allows a malicious imported or collabor
Server-side request forgery in Typebot chatbot builder before version 3.17.2 allows remote unauthenticated attackers to
Server-side request forgery in Typebot before 3.17.2 lets an authenticated workspace editor or creator bypass the shared
Server-side request forgery in Typebot versions 3.15.2 and prior allows authenticated users to bypass the validateHttpRe
Server-side request forgery in Typebot chatbot builder versions prior to 3.16.0 allows authenticated users to bypass SSR
Cross-workspace tampering in Typebot 3.15.2 and earlier allows any authenticated workspace member to modify or delete th
Authorization bypass in Typebot chatbot builder versions 3.15.2 and prior allows any authenticated user to access creden
Missing HMAC signature validation on Typebot's WhatsApp Cloud API webhook endpoint exposes versions 3.16.0 and prior to
Typebot 3.15.2 exposes complete private bot definitions across all workspaces to any authenticated platform user via a b
Insecure Direct Object Reference (IDOR) in Typebot's getResultLogs API endpoint allows any authenticated user to read ex
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today