CVE-2023-28435

Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.
References
Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:55

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1
v2 : unknown
v3 : 6.5
References () https://github.com/dataease/dataease/issues/4798 - Exploit, Issue Tracking, Third Party Advisory () https://github.com/dataease/dataease/issues/4798 - Exploit, Issue Tracking, Third Party Advisory
References () https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc - Exploit, Vendor Advisory () https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc - Exploit, Vendor Advisory

07 Nov 2023, 04:10

Type Values Removed Values Added
Summary Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5. Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.

Information

Published : 2023-03-24 21:15

Updated : 2024-11-21 07:55


NVD link : CVE-2023-28435

Mitre link : CVE-2023-28435

CVE.ORG link : CVE-2023-28435


JSON object : View

Products Affected

dataease

  • dataease
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')