CVE-2024-27103
MEDIUMQuerybook < 3.31.2 - Stored Cross-Site Scripting via Search Highlighting and Query Auto-Suggestion
Title source: llmDescription
Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2.
References (2)
Core 2
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/pinterest/querybook/security/advisories/GHSA-3hjm-9277-5c88
Scores
CVSS v3
6.1
EPSS
0.0036
EPSS Percentile
27.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
pinterest/querybook
< 3.31.2
Published
Feb 28, 2024
Tracked Since
Feb 18, 2026