CVE-2024-26148

Summary

CVE-2024-26148 is a newly disclosed vulnerability affecting Querybook, a big data query user interface. Before version 3.31.1, Querybook's rich text editor fails to validate user-inputted URLs correctly. Malicious URLs with the `javascript:` protocol can be introduced, culminating in potential arbitrary client-side execution. An admin user clicking an unverified malicious URL could inadvertently grant attackers access to their admin role. Version 3.31.1 of Querybook includes a patch that rectifies this issue, which is backward-compatible and automatically applies to existing DataDocs. No known workarounds exist, aside from manually inspecting URLs prior to clicking on them.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.