CVE-2024-41808

Name of the Vulnerable Software and Affected Versions OpenObserve versions through 0.9.1

Description The OpenObserve open-source observability platform has a security issue where it does not sanitize user input in the filter selection menu, potentially leading to complete account takeover. The front-end uses DOMPurify or Vue templating to escape cross-site scripting (XSS) in many areas, but certain parts lack this protection. Combining the missing protection with insecure authentication handling, a malicious user may be able to take over any victim's account if they meet the exploitation steps.

Recommendations For versions through 0.9.1, as a temporary workaround, consider restricting access to the filter selection menu until a patch is available. Additionally, review the authentication handling to ensure it is secure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.