Search criteria
15 vulnerabilities found for grist-core by getgrist
FKIE_CVE-2025-64752
Vulnerability from fkie_nvd - Published: 2025-11-13 22:15 - Updated: 2025-11-26 16:19
Severity ?
6.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getgrist | grist-core | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrist:grist-core:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4BAA1F5-E447-47A3-9824-ECA85B6B42B2",
"versionEndExcluding": "1.7.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials."
}
],
"id": "CVE-2025-64752",
"lastModified": "2025-11-26T16:19:34.703",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-13T22:15:52.563",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64753
Vulnerability from fkie_nvd - Published: 2025-11-13 22:15 - Updated: 2025-11-20 21:11
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getgrist | grist-core | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrist:grist-core:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4BAA1F5-E447-47A3-9824-ECA85B6B42B2",
"versionEndExcluding": "1.7.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint."
}
],
"id": "CVE-2025-64753",
"lastModified": "2025-11-20T21:11:25.813",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-11-13T22:15:52.750",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-56358
Vulnerability from fkie_nvd - Published: 2024-12-20 21:15 - Updated: 2025-03-12 17:33
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getgrist | grist-core | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrist:grist-core:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9898E10-3477-40DA-BA74-796374CE3880",
"versionEndExcluding": "1.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust."
},
{
"lang": "es",
"value": "grist-core es un servidor de alojamiento de hojas de c\u00e1lculo. Un usuario que visite un documento malicioso y obtenga una vista previa de un archivo adjunto podr\u00eda ver comprometida su cuenta, ya que el c\u00f3digo JavaScript en un archivo SVG se evaluar\u00eda en el contexto de su p\u00e1gina actual. Este problema se ha solucionado en la versi\u00f3n 1.3.2. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar la versi\u00f3n deben evitar obtener una vista previa de los archivos adjuntos en documentos preparados por personas en las que no conf\u00edan."
}
],
"id": "CVE-2024-56358",
"lastModified": "2025-03-12T17:33:10.120",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-20T21:15:10.673",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-56359
Vulnerability from fkie_nvd - Published: 2024-12-20 21:15 - Updated: 2025-03-12 17:32
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getgrist | grist-core | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrist:grist-core:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F9898E10-3477-40DA-BA74-796374CE3880",
"versionEndExcluding": "1.3.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust."
},
{
"lang": "es",
"value": "grist-core es un servidor de alojamiento de hojas de c\u00e1lculo. Un usuario que visite un documento malicioso y haga clic en un enlace en una celda de HyperLink utilizando un modificador de control (es decir, por ejemplo, Ctrl+clic) podr\u00eda ver comprometida su cuenta, ya que el enlace podr\u00eda utilizar el esquema javascript: y evaluarse en el contexto de su p\u00e1gina actual. Este problema se ha corregido en la versi\u00f3n 1.3.2. Se recomienda a los usuarios que actualicen. Los usuarios que no puedan actualizar deber\u00edan evitar hacer clic en enlaces de celdas de HyperLink utilizando un modificador de control en documentos preparados por personas en las que no conf\u00eden."
}
],
"id": "CVE-2024-56359",
"lastModified": "2025-03-12T17:32:22.520",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-20T21:15:10.880",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-56357
Vulnerability from fkie_nvd - Published: 2024-12-20 21:15 - Updated: 2025-03-12 17:36
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getgrist | grist-core | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getgrist:grist-core:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4567BBCE-DB4D-4648-A39B-637AC71B1564",
"versionEndExcluding": "1.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust."
},
{
"lang": "es",
"value": "grist-core es un servidor de alojamiento de hojas de c\u00e1lculo. Un usuario que visite un documento malicioso o env\u00ede un formulario malicioso podr\u00eda ver comprometida su cuenta, ya que era posible usar el esquema `javascript:` con URL de widgets personalizados y URL de redireccionamiento de formularios. Este problema se ha solucionado en la versi\u00f3n 1.3.1. Se recomienda a los usuarios que actualicen la versi\u00f3n. Los usuarios que no puedan actualizar deben evitar visitar documentos o formularios preparados por personas en las que no conf\u00eden."
}
],
"id": "CVE-2024-56357",
"lastModified": "2025-03-12T17:36:08.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-12-20T21:15:10.483",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
CVE-2025-64753 (GCVE-0-2025-64753)
Vulnerability from cvelistv5 – Published: 2025-11-13 21:46 – Updated: 2025-11-14 16:17
VLAI?
Title
grist-core has insufficient access control in endpoints for comparisons between documents and versions
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T16:12:20.392850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T16:17:23.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:46:00.508Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
}
],
"source": {
"advisory": "GHSA-3v78-cw58-v685",
"discovery": "UNKNOWN"
},
"title": "grist-core has insufficient access control in endpoints for comparisons between documents and versions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64753",
"datePublished": "2025-11-13T21:46:00.508Z",
"dateReserved": "2025-11-10T22:29:34.874Z",
"dateUpdated": "2025-11-14T16:17:23.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64752 (GCVE-0-2025-64752)
Vulnerability from cvelistv5 – Published: 2025-11-13 21:43 – Updated: 2025-11-14 17:10
VLAI?
Title
grist-core has path to server-side requests via websocket
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials.
Severity ?
6.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T16:25:04.348078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T17:10:33.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:43:57.610Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
}
],
"source": {
"advisory": "GHSA-qh95-2qv8-pqx3",
"discovery": "UNKNOWN"
},
"title": "grist-core has path to server-side requests via websocket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64752",
"datePublished": "2025-11-13T21:43:57.610Z",
"dateReserved": "2025-11-10T22:29:34.873Z",
"dateUpdated": "2025-11-14T17:10:33.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56359 (GCVE-0-2024-56359)
Vulnerability from cvelistv5 – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:49
VLAI?
Title
Cross-site Scripting vulnerability through HyperLink cells in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:49:18.855510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:49:50.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:55.622Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
}
],
"source": {
"advisory": "GHSA-qv69-5cj2-53r9",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through HyperLink cells in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56359",
"datePublished": "2024-12-20T20:24:55.622Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:49:50.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56358 (GCVE-0-2024-56358)
Vulnerability from cvelistv5 – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:53
VLAI?
Title
Cross-site Scripting vulnerability through svg attachment previews in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:53:15.510364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:53:26.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:53.932Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
}
],
"source": {
"advisory": "GHSA-jvfm-gf4f-33q3",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through svg attachment previews in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56358",
"datePublished": "2024-12-20T20:24:53.932Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:53:26.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56357 (GCVE-0-2024-56357)
Vulnerability from cvelistv5 – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:56
VLAI?
Title
Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:56:05.803853Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:56:14.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:51.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e"
}
],
"source": {
"advisory": "GHSA-cq5q-cqr7-vmf6",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56357",
"datePublished": "2024-12-20T20:24:51.149Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:56:14.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-64753 (GCVE-0-2025-64753)
Vulnerability from nvd – Published: 2025-11-13 21:46 – Updated: 2025-11-14 16:17
VLAI?
Title
grist-core has insufficient access control in endpoints for comparisons between documents and versions
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T16:12:20.392850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T16:17:23.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:46:00.508Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
}
],
"source": {
"advisory": "GHSA-3v78-cw58-v685",
"discovery": "UNKNOWN"
},
"title": "grist-core has insufficient access control in endpoints for comparisons between documents and versions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64753",
"datePublished": "2025-11-13T21:46:00.508Z",
"dateReserved": "2025-11-10T22:29:34.874Z",
"dateUpdated": "2025-11-14T16:17:23.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64752 (GCVE-0-2025-64752)
Vulnerability from nvd – Published: 2025-11-13 21:43 – Updated: 2025-11-14 17:10
VLAI?
Title
grist-core has path to server-side requests via websocket
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials.
Severity ?
6.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T16:25:04.348078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T17:10:33.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:43:57.610Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
}
],
"source": {
"advisory": "GHSA-qh95-2qv8-pqx3",
"discovery": "UNKNOWN"
},
"title": "grist-core has path to server-side requests via websocket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64752",
"datePublished": "2025-11-13T21:43:57.610Z",
"dateReserved": "2025-11-10T22:29:34.873Z",
"dateUpdated": "2025-11-14T17:10:33.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56359 (GCVE-0-2024-56359)
Vulnerability from nvd – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:49
VLAI?
Title
Cross-site Scripting vulnerability through HyperLink cells in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:49:18.855510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:49:50.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:55.622Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
}
],
"source": {
"advisory": "GHSA-qv69-5cj2-53r9",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through HyperLink cells in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56359",
"datePublished": "2024-12-20T20:24:55.622Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:49:50.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56358 (GCVE-0-2024-56358)
Vulnerability from nvd – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:53
VLAI?
Title
Cross-site Scripting vulnerability through svg attachment previews in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:53:15.510364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:53:26.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:53.932Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
}
],
"source": {
"advisory": "GHSA-jvfm-gf4f-33q3",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through svg attachment previews in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56358",
"datePublished": "2024-12-20T20:24:53.932Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:53:26.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56357 (GCVE-0-2024-56357)
Vulnerability from nvd – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:56
VLAI?
Title
Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:56:05.803853Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:56:14.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:51.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e"
}
],
"source": {
"advisory": "GHSA-cq5q-cqr7-vmf6",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56357",
"datePublished": "2024-12-20T20:24:51.149Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:56:14.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}