Security Advisory

CVE-2024-28251

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2024-03-13 23:21:28

Last updated 2024-08-02 00:48:49

Assigner GitHub_M

State PUBLISHED

Description

Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. Querybooks datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CORS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user. This issue has been addressed in version 3.32.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

← Browse all CVEs View on cve.org ↗