Component postMessage XSS
A vulnerability was discovered that allowed a malicious website to utilize a Retool page to execute a cross site scripting (XSS) attack via a postMessage call. Attackers leveraging this vulnerability could have executed script in a victim's browser under the Retool domain or any targeted customer domain hosting Retool endpoints. An attacker would be able to take any action the user can, including but not limited to stealing some authentication credentials, manipulating Retool apps and resources, inviting new users to a Retool instance, etc. via malicious JavaScript.
To exploit this vulnerability, an attacker would need a victim to visit their malicious website (e.g. attacker.com). An attacker does not need an active account in a Retool organization to target it.
| Detail | Description |
|---|---|
| Vulnerability Type | CWE-79: Improper Neutralization of Input During Web Page Generation |
| Attack Type | Remote |
| Impact | Execute Unauthorized Code or Commands |
Affected and patched release versions
Retool has released the following patches for Stable and Edge channel releases of self-hosted Retool.
| Channel | Affected version | Patched version |
|---|---|---|
| Edge | 3.300.3 and earlier | 3.300.4 |
| 3.284 Stable | 3.284.0 to 3.284.11 | 3.284.12 |
| 3.253 Stable | 3.253.0 to 3.253.18 | 3.253.19 |