CVE-2024-27103
CVSS V2 None
CVSS V3 None
Description
Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2.
Overview
- CVE ID
- CVE-2024-27103
- Assigner
- GitHub_M
- Vulnerability Status
- PUBLISHED
- Published Version
- 2024-02-28T17:41:36.012Z
- Last Modified Date
- 2024-02-28T17:41:36.012Z
Weakness Enumerations
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/pinterest/querybook/security/advisories/GHSA-3hjm-9277-5c88 | x_refsource_CONFIRM |
| https://github.com/pinterest/querybook/commit/449bdc9e7d679e042c3718b7ed07d2ffa3c46a8f | x_refsource_MISC |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2024-27103 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27103 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2024-06-26 02:10:35 | Added to TrackCVE |