CVE-2024-27103

{"id": "CVE-2024-27103", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-02-28T18:15:45.940", "references": [{"url": "https://github.com/pinterest/querybook/commit/449bdc9e7d679e042c3718b7ed07d2ffa3c46a8f", "source": "security-advisories@github.com"}, {"url": "https://github.com/pinterest/querybook/security/advisories/GHSA-3hjm-9277-5c88", "source": "security-advisories@github.com"}, {"url": "https://github.com/pinterest/querybook/commit/449bdc9e7d679e042c3718b7ed07d2ffa3c46a8f", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/pinterest/querybook/security/advisories/GHSA-3hjm-9277-5c88", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the \"query auto-suggestion\" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2."}, {"lang": "es", "value": "Querybook es una interfaz de usuario de consulta de Big Data. Cuando un usuario busca sus consultas, documentos de datos, tablas y listas, el resultado de la b\u00fasqueda se marca y resalta, y esta funci\u00f3n utiliza peligrosamente SetInnerHTML, lo que significa que si el resultado resaltado tiene una carga \u00fatil XSS, se activar\u00e1. Mientras que la entrada a peligrosamenteSetInnerHTML no est\u00e1 desinfectada para los datos dentro de las consultas, lo que conduce a una vulnerabilidad XSS. Durante la \"sugerencia autom\u00e1tica de consultas\", el nombre de las tablas sugeridas se configura con internalHTML, lo que conduce a la vulnerabilidad XSS. Se introdujo un parche para rectificar este problema en la versi\u00f3n 3.31.2 de Querybook."}], "lastModified": "2024-11-21T09:03:51.940", "sourceIdentifier": "security-advisories@github.com"}