CVE-2024-27103 — MEDIUM (6.1)

Q: How severe is CVE-2024-27103?

CVE-2024-27103 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-27103?

Check the references section above for vendor advisories and patch information. Affected products include: Pinterest Querybook.

Vulnerability Description

Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Pinterest	Querybook	< 3.31.2

Related Weaknesses (CWE)

CWE-79

References

FAQ

What is CVE-2024-27103?

CVE-2024-27103 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML whic...

How severe is CVE-2024-27103?

CVE-2024-27103 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-27103?

Check the references section above for vendor advisories and patch information. Affected products include: Pinterest Querybook.