CVE-2024-27103 - Cross-site Scripting (XSS) Vulnerability in Querybook Big Data Querying UI

Querybook is a popular open-source Big Data Querying UI, which allows users to search, create, and share their data queries. It provides a friendly interface for managing data and exploring datasets. However, a recently discovered security vulnerability, identified as CVE-2024-27103, exposes the platform to a Cross-Site Scripting (XSS) attack, putting user data at risk.

Vulnerability Details

The vulnerability lies in the search functionality provided by Querybook. When a user searches for queries, datadocs, tables, and lists, the search result is marked and highlighted. This feature uses the dangerouslySetInnerHTML function, which means if the highlighted result contains an XSS payload, it will trigger the XSS vulnerability.

Unfortunately, the input to dangerouslySetInnerHTML is not sanitized for the data inside queries, leading to an XSS vulnerability. Furthermore, during the "query auto-suggestion" feature, the names of the suggested tables are set with innerHTML, which again leads to the XSS vulnerability.

Exploit Details

The XSS vulnerability can be exploited by an attacker injecting malicious XSS payloads into query names or making use of the "query auto-suggestion" feature. As a result, an unsuspecting user might be affected when clicking on the search result or using an auto-suggested query.

Here is an example of how dangerouslySetInnerHTML is used in Querybook

<span dangerouslySetInnerHTML={{ __html: highlightedResult }} />

To exploit this vulnerability, an attacker could craft a search query payload such as

<script>alert('XSS Payload')</script>

When the search result or the auto-suggested table name contains the malicious payload, it will trigger the XSS vulnerability and execute the attacker's payload.

Original References

1. Querybook GitHub Repository
2. CVE-2024-27103 – National Vulnerability Database
3. Querybook Version 3.31.2 Release Notes

Patch and Recommendations

To address this issue, the Querybook team has introduced a patch in Querybook version 3.31.2. Users running the vulnerable versions of Querybook are advised to upgrade to the latest version immediately to mitigate the risk of XSS attacks. Additionally, developers should always sanitize any input that might be used in innerHTML or dangerouslySetInnerHTML functions to prevent similar vulnerabilities in the future.

Timeline

Published on: 02/28/2024 18:15:45 UTC
Last modified on: 02/29/2024 13:49:47 UTC