References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

Typebot is a chatbot builder tool. In versions 3.15.2 and prior, the getResultLogs API endpoint authorizes the caller against the provided typebotId but fetches logs solely by resultId without verifying that the result belongs to the authorized typebot, leading to IDOR. An authenticated attacker can supply their own typebotId alongside any victim's resultId to read execution logs from other workspaces, leaking sensitive data including HTTP response bodies, AI model outputs, and webhook payloads. Every other result-scoped endpoint in the same router properly validates that the resultId belongs to the authorized typebotId. This confirms the missing check is an oversight, not a design choice. This issue has been fixed in version 3.15.2.

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-639

https://github.com/baptisteArno/typebot.io/commit/d82b2d47c86ae614a08d4073c669ca64442faff2

https://github.com/baptisteArno/typebot.io/releases/tag/v3.16.0

https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-c63p-mqx5-75r7