CVE-2024-26148

Name of the Vulnerable Software and Affected Versions: Querybook versions prior to 3.31.1

Description: The issue is related to the Rich Text Editor component in Querybook, which fails to properly validate user input, allowing arbitrary URLs to be entered without necessary validation. This security flaw enables the use of the javascript: protocol, potentially triggering arbitrary client-side execution. In the most extreme case, an admin user could unknowingly click on a cross-site scripting URL, compromising admin role access to the attacker.

Recommendations: For versions prior to 3.31.1, update to version 3.31.1 or later, as it includes a patch to rectify this issue. The fix is backward compatible and automatically fixes existing DataDocs. As a temporary workaround, consider manually checking each URL prior to clicking on them to minimize the risk of exploitation.