Budibase Authentication Cookie Vulnerability Leading to Account Takeover

A vulnerability exists in Budibase versions prior to 3.35.10, where the 'budibase:auth' cookie, containing the JWT session token, is set without the 'httpOnly' flag. This configuration allows JavaScript to access the cookie via 'document.cookie', enabling any cross-site scripting (XSS) vulnerability to be exploited for full account takeover by stealing the JWT and providing persistent access to the victim's account. Additionally, the cookie is sent over plaintext HTTP without the 'secure' flag and lacks a 'sameSite' attribute, further increasing vulnerability to cross-site request forgery (CSRF) attacks.

Impact

Exploitation of this vulnerability allows for full account takeover, as it enables the theft of the JWT session token, granting persistent access to the victim's account.

Reproduction

To reproduce this vulnerability, create an entity with a name that includes a script payload to exploit the stored XSS vulnerability. When the entity is viewed, the injected script will execute and steal the JWT session token from the 'budibase:auth' cookie, sending it to an external server controlled by the attacker.

Remediation

Users can update to Budibase version 3.35.10 or later, where this vulnerability has been patched. Instructions for updating can be found in the Budibase GitHub repository.