CVE-2024-23995

CVE-2024-23995 describes a stored cross-site scripting (XSS) vulnerability in Beekeeper Studio versions 4.1.13 and earlier. The flaw occurs in the tabulator-popup-container, where column names of database tables are rendered without proper sanitization. An attacker can inject arbitrary JavaScript into a column name, which is then executed when a user views the affected table.

Exploitation requires an attacker to create or import a database table containing a crafted column name. No authentication beyond user interaction is needed; the victim must open the table in the SQL client. As demonstrated in a public proof-of-concept [1], the injected script runs in the context of the application, bypassing typical security boundaries.

The impact is arbitrary code execution within the Beekeeper Studio UI. An attacker could steal credentials, modify database content, or perform other actions on behalf of the victim. The vulnerability affects the desktop application, not the server-side database.

Beekeeper Studio is an open-source database manager [2]. The maintainers have not yet released a public advisory, but users should upgrade to a later version if available. Until a patch is applied, avoid opening tables from untrusted sources and sanitize column names manually.