Home > Vulnerability Database > CVE-2022-46151

Mend.io Vulnerability Database

CVE-2022-46151

Date: December 5, 2022

Querybook is an open source data querying UI. In affected versions user provided data is not escaped in the error field of the auth callback url in "querybook/server/app/auth/oauth_auth.py" and "querybook/server/app/auth/okta_auth.py". This may allow attackers to perform reflected cross site scripting (XSS) if Content Security Policy (CSP) is not enabled or "unsafe-inline" is allowed. Users are advised to upgrade to the latest, patched version of querybook (version 3.14.2 or greater). Users unable to upgrade may enable CSP and not allow unsafe-inline or manually escape query parameters in a reverse proxy.

Language: Python

Severity Score

6.3

Related Resources (4)

Url: https://github.com/pinterest/querybook/commit/88a7f10495bf5ed1a556ade51a2f2794e403c063

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-46151

Url: https://github.com/pinterest/querybook/security/advisories/GHSA-mrrw-9wf7-xq6w

Url: https://www.mend.io/vulnerability-database/CVE-2022-46151

Severity Score

6.3

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	6.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-46151

Date: December 5, 2022

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?