CVE-2022-46151

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-46151

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-46151.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-46151

Aliases

GHSA-mrrw-9wf7-xq6w

Published

2022-12-06T00:33:43.731Z

Modified

2025-11-28T05:03:11.127084Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Reflected XSS

Details

Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in querybook/server/app/auth/oauth_auth.py and querybook/server/app/auth/okta_auth.py. This may allow attackers to perform reflected cross site scripting (XSS) if Content Security Policy (CSP) is not enabled or unsafe-inline is allowed. Users are advised to upgrade to the latest, patched version of querybook (version 3.14.2 or greater). Users unable to upgrade may enable CSP and not allow unsafe-inline or manually escape query parameters in a reverse proxy.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/46xxx/CVE-2022-46151.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/pinterest/querybook

Affected ranges

Type: GIT
Repo: https://github.com/pinterest/querybook
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2f36f6b5ef1231017e4fddc32cef7c3125ae4610

Affected versions

v2.*

v2.3.0

v2.4.0