CVE-2023-28435

Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.
References
Link Resource
https://github.com/dataease/dataease/issues/4798 Exploit Issue Tracking Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

07 Nov 2023, 04:10

Type Values Removed Values Added
Summary Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5. Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.

Information

Published : 2023-03-24 21:15

Updated : 2024-02-28 20:13


NVD link : CVE-2023-28435

Mitre link : CVE-2023-28435

CVE.ORG link : CVE-2023-28435


JSON object : View

Products Affected

dataease

  • dataease
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')