CVE-2022-46151: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

December 6, 2022 (updated December 7, 2022)

Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in querybook/server/app/auth/oauth_auth.py and querybook/server/app/auth/okta_auth.py. This may allow attackers to perform reflected cross site scripting (XSS) if Content Security Policy (CSP) is not enabled or unsafe-inline is allowed. Users are advised to upgrade to the latest, patched version of querybook (version 3.14.2 or greater). Users unable to upgrade may enable CSP and not allow unsafe-inline or manually escape query parameters in a reverse proxy.

References

Code Behaviors & Features

Detect and mitigate CVE-2022-46151 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →