{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-13T14:37:23.968","vulnerabilities":[{"cve":{"id":"CVE-2024-28251","sourceIdentifier":"security-advisories@github.com","published":"2024-03-14T00:15:33.630","lastModified":"2025-09-04T15:58:07.750","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. Querybook's datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CORS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user. This issue has been addressed in version 3.32.0. Users are advised to upgrade. There are no known workarounds for this vulnerability."},{"lang":"es","value":"Querybook es una interfaz de usuario de consulta de Big Data que combina metadatos de tablas colocadas y una interfaz de cuaderno simple. La funcionalidad de documentos de datos de Querybook funciona mediante un servidor Websocket. El cliente habla con este WSS cada vez que actualiza, elimina o lee cualquier celda, así como para observar el estado en vivo de las ejecuciones de consultas. Actualmente, la configuración CORS permite todos los orígenes, lo que podría resultar en el secuestro de websocket entre sitios y permitir a los atacantes leer/editar/eliminar documentos de datos del usuario. Este problema se solucionó en la versión 3.32.0. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":5.6,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.2,"impactScore":3.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","baseScore":7.3,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":3.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-345"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pinterest:querybook:*:*:*:*:*:*:*:*","versionEndExcluding":"3.32.0","matchCriteriaId":"8CFC8B6A-D102-49DD-844D-9B43DA76B7CC"}]}]}],"references":[{"url":"https://github.com/pinterest/querybook/pull/1425","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/pinterest/querybook/security/advisories/GHSA-5349-j4c9-x767","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/pinterest/querybook/pull/1425","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/pinterest/querybook/security/advisories/GHSA-5349-j4c9-x767","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}