Impact
Querybook's datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CROS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user.
Patches
Please upgrade to version v3.32
Workarounds
No workarounds for now.
References
Please refer to the PR for details
HakuPiku Reporter
Impact
Querybook's datadocs functionality works by using a Websocket Server. The client talks to this WSS whenever updating/deleting/reading any cells as well as for watching the live status of query executions. Currently the CROS setting allows all origins, which could result in cross-site websocket hijacking and allow attackers to read/edit/remove datadocs of the user.
Patches
Please upgrade to version v3.32
Workarounds
No workarounds for now.
References
Please refer to the PR for details