cve/2024/CVE-2024-30264.md

### [CVE-2024-30264](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-30264)
![](https://img.shields.io/static/v1?label=Product&message=typebot.io&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%202.24.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%3A%20Improper%20Neutralization%20of%20Input%20During%20Web%20Page%20Generation%20('Cross-site%20Scripting')&color=brighgreen)

### Description

Typebot is an open-source chatbot builder. A reflected cross-site scripting (XSS) in the sign-in page of typebot.io prior to version 2.24.0 may allow an attacker to hijack a user's account. The sign-in page takes the `redirectPath` parameter from the URL. If a user clicks on a link where the `redirectPath` parameter has a javascript scheme, the attacker that crafted the link may be able to execute arbitrary JavaScript with the privileges  of the user. Version 2.24.0 contains a patch for this issue.

### POC

#### Reference
- https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-mx2f-9mcr-8j73

#### Github
No PoCs found on GitHub currently.