CVE-2024-28251
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-28251
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-28251.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-28251
- Aliases
-
- GHSA-5349-j4c9-x767
- Published
- 2024-03-13T23:21:28.115Z
- Modified
- 2025-11-30T18:44:24.197556Z
- Severity
-
- 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- Summary
- Cross-site websocket hijacking in Querybook
- Details
-
Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. Querybook's datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CORS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user. This issue has been addressed in version 3.32.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/28xxx/CVE-2024-28251.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-345" ] }- References