CVE-2024-56357 HIGH

CVE-2024-56357: Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core

Vendor Gristlabs

Product grist-core

Weakness CWE-79 · XSS

Published December 20, 2024

Last update December 24, 2024

View on NVD All CVEs

CVSS base score

8.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.

Key dates

02Disclosure timeline

December 20, 2024 CVE published

December 24, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-56357 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2024-56357: Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core

01Description

02Disclosure timeline

03References

04Related CVE