CVE-2024-27103

Name of the Vulnerable Software and Affected Versions Querybook versions prior to 3.31.2

Description The issue arises from the use of dangerouslySetInnerHTML when highlighting search results, which can trigger an XSS payload if the result contains malicious code. Additionally, during "query auto-suggestion", the suggested table names are set with innerHTML, leading to an XSS vulnerability. This occurs because the input to dangerouslySetInnerHTML is not sanitized for the data inside queries.

Recommendations For versions prior to 3.31.2, update to version 3.31.2 to rectify the issue. As a temporary workaround, consider disabling the search result highlighting feature and the "query auto-suggestion" feature until the patch is applied. Restrict access to the dangerouslySetInnerHTML and innerHTML functions to minimize the risk of exploitation. Avoid using these functions with untrusted input until the issue is resolved.