CVE-2022-46151

Name of the Vulnerable Software and Affected Versions Querybook versions prior to 3.14.2

Description The issue concerns Querybook, an open source data querying UI. In affected versions, user-provided data is not escaped in the error field of the auth callback URL in querybook/server/app/auth/oauth auth.py and querybook/server/app/auth/okta auth.py. This may allow attackers to perform reflected cross-site scripting (XSS) if Content Security Policy (CSP) is not enabled or unsafe-inline is allowed.

Recommendations For versions prior to 3.14.2, upgrade to the latest, patched version of Querybook (version 3.14.2 or greater). For users unable to upgrade, enable Content Security Policy (CSP) and do not allow unsafe-inline, or manually escape query parameters in a reverse proxy.