CVE-2024-56358

Name of the Vulnerable Software and Affected Versions grist-core versions prior to 1.3.2

Description The issue concerns a spreadsheet hosting server where a user's account could be compromised by visiting a malicious document and previewing an attachment. This happens because JavaScript in an SVG file is evaluated in the context of the user's current page, allowing for potential account takeover.

Recommendations For versions prior to 1.3.2, upgrade to version 1.3.2 or later to resolve the issue. As a temporary workaround for users unable to upgrade, avoid previewing attachments in documents prepared by untrusted individuals.