CVE-2024-27103
Last modified
CVE-2024-27103 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. EPSS estimates a 0.36% chance of exploitation in the next 30 days.
Description
Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Querybook | < 3.31.2 |
References
- https://github.com/pinterest/querybook/security/advisories/GHSA-3hjm-9277-5c88Patch, Vendor Advisory
- https://github.com/pinterest/querybook/security/advisories/GHSA-3hjm-9277-5c88Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-27103?
How severe is CVE-2024-27103?
How do I fix CVE-2024-27103?
Are you affected by CVE-2024-27103?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST