Impact
User provided data is not escaped in the error field of the auth callback url in querybook/server/app/auth/oauth_auth.py and querybook/server/app/auth/okta_auth.py. This may allow attackers to perform reflected XSS if CSP (Content Security Policy) is not enabled or unsafe-inline is allowed.
Patches
- Upgrade to the latest, patched version of querybook (version
3.14.2 or greater)
Workarounds
- Enable CSP and do not allow
unsafe-inline
- Escape query parameters in a reverse proxy
- WAF could be helpful but is unreliable (see here)
References
For more information
If you have any questions or comments about this advisory:
Impact
User provided data is not escaped in the error field of the auth callback url in
querybook/server/app/auth/oauth_auth.pyandquerybook/server/app/auth/okta_auth.py. This may allow attackers to perform reflected XSS if CSP (Content Security Policy) is not enabled orunsafe-inlineis allowed.Patches
3.14.2or greater)Workarounds
unsafe-inlineReferences
For more information
If you have any questions or comments about this advisory: