Budibase Command Palette Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Budibase versions prior to 3.32.5. The issue arises in the Builder Command Palette, which renders entity names using Svelte's {@html} directive without proper sanitization. An authenticated user with Builder access can create entities (tables, views, queries, or automations) with names containing HTML payloads. When any Builder user in the same workspace opens the Command Palette, the payload executes in their browser, stealing their session cookie and allowing full account takeover.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into Budibase as a Builder or Admin user. Create a table, view, query, or automation with a name that includes a malicious HTML payload, such as an image tag with an 'onerror' event. Once the entity is created, open the Command Palette. The injected script will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Budibase version 3.32.5 or later, where this vulnerability has been patched.