CVE-2024-26148

CVSS 3.1 Score 6.1 of 10 (medium)

Details

Published Feb 21, 2024
Updated: Feb 22, 2024
CWE ID 79

Summary

CVE-2024-26148 is a newly disclosed vulnerability affecting Querybook, a big data query user interface. Before version 3.31.1, Querybook's rich text editor fails to validate user-inputted URLs correctly. Malicious URLs with the `javascript:` protocol can be introduced, culminating in potential arbitrary client-side execution. An admin user clicking an unverified malicious URL could inadvertently grant attackers access to their admin role. Version 3.31.1 of Querybook includes a patch that rectifies this issue, which is backward-compatible and automatically applies to existing DataDocs. No known workarounds exist, aside from manually inspecting URLs prior to clicking on them.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2024-26148 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database