Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.
References
Link | Resource |
---|---|
https://github.com/dataease/dataease/issues/4798 | Exploit Issue Tracking Third Party Advisory |
https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc | Exploit Vendor Advisory |
https://github.com/dataease/dataease/issues/4798 | Exploit Issue Tracking Third Party Advisory |
https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc | Exploit Vendor Advisory |
Configurations
History
21 Nov 2024, 07:55
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
References | () https://github.com/dataease/dataease/issues/4798 - Exploit, Issue Tracking, Third Party Advisory | |
References | () https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc - Exploit, Vendor Advisory |
07 Nov 2023, 04:10
Type | Values Removed | Values Added |
---|---|---|
Summary | Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5. |
Information
Published : 2023-03-24 21:15
Updated : 2024-11-21 07:55
NVD link : CVE-2023-28435
Mitre link : CVE-2023-28435
CVE.ORG link : CVE-2023-28435
JSON object : View
Products Affected
dataease
- dataease
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')