cve/2024/CVE-2024-28251.md

### [CVE-2024-28251](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28251)
![](https://img.shields.io/static/v1?label=Product&message=querybook&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%203.32.0%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-345%3A%20Insufficient%20Verification%20of%20Data%20Authenticity&color=brighgreen)

### Description

Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. Querybook's datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CORS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user. This issue has been addressed in version 3.32.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/fkie-cad/nvd-json-data-feeds