Grist Core
Monthly
Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly including anonymous public users on publicly viewable documents - to retrieve table and column metadata for any widget by querying the GET /forms endpoint. The endpoint failed both to validate that the requested section was a form widget and to apply the document's configured access rules before returning metadata, meaning hidden schema structure (table names, column names, types) is fully exposed regardless of the restrictions in place. No public exploit has been identified and the vulnerability is not in CISA KEV; a vendor-released patch exists in version 1.7.15.
Stored and reflected cross-site scripting in Grist (grist-core) before 1.7.15 lets an attacker place a javascript: URL into an unvalidated link href and execute script in a victim's authenticated Grist origin on a single click. Two entry points are affected: the /welcome/select-account page reflects its next query parameter into account-button links, and the GristDocTour table's Link_URL column renders as a clickable tour button, so a document editor can plant a payload that runs when another user opens the document. Because the script executes as the victim, it can drive Grist APIs to read or modify data and change sharing/access rules, letting an editor escalate to owner-level control. There is no public exploit identified at time of analysis and it is not in CISA KEV.
Stored and reflected cross-site scripting in Grist (grist-core) prior to 1.7.15 lets a document editor inject script into a document's name or description that executes when higher-privileged users open the document, and lets attackers abuse the OAuth2 end-of-flow page's reflected openerOrigin parameter. Because the injected script runs in the victim's authenticated Grist origin, a mere document editor can read or modify data, alter sharing settings and access rules, and escalate to owner-level control. No public exploit identified at time of analysis; the issue is CWE-79 and is fixed upstream in the tagged 1.7.15 release.
Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Unauthorized schema disclosure in Grist Core prior to 1.7.15 allows any user with partial read access - explicitly including anonymous public users on publicly viewable documents - to retrieve table and column metadata for any widget by querying the GET /forms endpoint. The endpoint failed both to validate that the requested section was a form widget and to apply the document's configured access rules before returning metadata, meaning hidden schema structure (table names, column names, types) is fully exposed regardless of the restrictions in place. No public exploit has been identified and the vulnerability is not in CISA KEV; a vendor-released patch exists in version 1.7.15.
Stored and reflected cross-site scripting in Grist (grist-core) before 1.7.15 lets an attacker place a javascript: URL into an unvalidated link href and execute script in a victim's authenticated Grist origin on a single click. Two entry points are affected: the /welcome/select-account page reflects its next query parameter into account-button links, and the GristDocTour table's Link_URL column renders as a clickable tour button, so a document editor can plant a payload that runs when another user opens the document. Because the script executes as the victim, it can drive Grist APIs to read or modify data and change sharing/access rules, letting an editor escalate to owner-level control. There is no public exploit identified at time of analysis and it is not in CISA KEV.
Stored and reflected cross-site scripting in Grist (grist-core) prior to 1.7.15 lets a document editor inject script into a document's name or description that executes when higher-privileged users open the document, and lets attackers abuse the OAuth2 end-of-flow page's reflected openerOrigin parameter. Because the injected script runs in the victim's authenticated Grist origin, a mere document editor can read or modify data, alter sharing settings and access rules, and escalate to owner-level control. No public exploit identified at time of analysis; the issue is CWE-79 and is fixed upstream in the tagged 1.7.15 release.
Grist spreadsheet software has an injection vulnerability in Python formula execution that allows authenticated users to escape the formula sandbox and execute arbitrary code.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. No vendor patch available.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
grist-core is a spreadsheet hosting server. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.