Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2024-26148
Analyzed
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-21 Feb, 2024 | 23:15
Updated At-05 Feb, 2025 | 22:02

Querybook is a user interface for querying big data. Prior to version 3.31.1, there is a vulnerability in Querybook's rich text editor that enables users to input arbitrary URLs without undergoing necessary validation. This particular security flaw allows the use of `javascript:` protocol which can potentially trigger arbitrary client-side execution. The most extreme exploit of this flaw could occur when an admin user unknowingly clicks on a cross-site scripting URL, thereby unintentionally compromising admin role access to the attacker. A patch to rectify this issue has been introduced in Querybook version `3.31.1`. The fix is backward compatible and automatically fixes existing DataDocs. There are no known workarounds for this issue, except for manually checking each URL prior to clicking on them.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CPE Matches
pinterest
pinterest
>>querybook>>Versions before 3.31.1(exclusive)
cpe:2.3:a:pinterest:querybook:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Secondarysecurity-advisories@github.com
CWE-79Primarynvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/pinterest/querybook/commit/bc620dabaaf13ff1dcb30af0b46a490403fb9908security-advisories@github.com
Patch
https://github.com/pinterest/querybook/pull/1412security-advisories@github.com
Issue Tracking
Patch
https://github.com/pinterest/querybook/security/advisories/GHSA-fh6g-gvvp-587fsecurity-advisories@github.com
Patch
Vendor Advisory
https://github.com/pinterest/querybook/commit/bc620dabaaf13ff1dcb30af0b46a490403fb9908af854a3a-2127-422b-91ae-364da2661108
Patch
https://github.com/pinterest/querybook/pull/1412af854a3a-2127-422b-91ae-364da2661108
Issue Tracking
Patch
https://github.com/pinterest/querybook/security/advisories/GHSA-fh6g-gvvp-587faf854a3a-2127-422b-91ae-364da2661108
Patch
Vendor Advisory
Change History
0Changes found
Details not found