CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46985 – DataEase has an XXE vulnerability
https://notcve.org/view.php?id=CVE-2024-46985
23 Sep 2024 — DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1. • https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31441 – Arbitrary File Reading in DataEase
https://notcve.org/view.php?id=CVE-2024-31441
10 May 2024 — DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file reading. The vulnerability has been fixed in v1.18.19. DataEase es una herramienta de análisis de visualización de datos de código abierto. Debido a la falta de restricciones en los parámetros de conexión para la fuente de datos de ClickHouse, es posible explotar ciertos parám... • https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-7wg6-p5wh • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 91%CPEs: 1EXPL: 2CVE-2024-30269 – DataEase has database configuration information exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-30269
08 Apr 2024 — DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading. DataEase, una herramienta de análisis y visualización de datos de código abierto, tiene una vulnerabilidad de exposición de informaci... • https://packetstorm.news/files/id/190305 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23328 – The Dataease datasource exists deserialization and arbitrary file read vulnerability
https://notcve.org/view.php?id=CVE-2024-23328
01 Feb 2024 — Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java.` The blacklist of mysql jdbc attacks can be bypassed and attackers can further exploit it for deserialized execution or reading arbitrary files. This vulnerability is patched in 1.18.15 and 2.3.0. Dataease es una herram... • https://github.com/dataease/dataease/commit/4128adf5fc4592b55fa1722a53b178967545d46a • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40183 – DataEase has a vulnerability to obtain user cookies
https://notcve.org/view.php?id=CVE-2023-40183
21 Sep 2023 — DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. • https://github.com/dataease/dataease/commit/826513053146721a2b3e09a9c9d3ea41f8f10569 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-40771
https://notcve.org/view.php?id=CVE-2023-40771
01 Sep 2023 — SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function. Una vulnerabilidad de inyección SQL en DataEase v1.18.9 permite a un atacante remoto obtener información confidencial a través de una cadena manipulada fuera de la función "blacklist". • https://github.com/dataease/dataease/issues/5861 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37258 – DataEase has a SQL injection vulnerability that can bypass blacklists
https://notcve.org/view.php?id=CVE-2023-37258
25 Jul 2023 — DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, DataEase has a SQL injection vulnerability that can bypass blacklists. The vulnerability has been fixed in v1.18.9. There are no known workarounds. DataEase es una herramienta de análisis de visualización de datos de código abierto. • https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/controller/panel/AppLogController.java#L41 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37257 – The DataEase panel and dataset have a stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-37257
25 Jul 2023 — DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, the DataEase panel and dataset have a stored cross-site scripting vulnerability. The vulnerability has been fixed in v1.18.9. There are no known workarounds. DataEase es una herramienta de análisis de visualización de datos de código abierto. • https://github.com/dataease/dataease/releases/tag/v1.18.9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-35164 – Unauthorized users can manipulate a dashboard created by an administrator in DataEase
https://notcve.org/view.php?id=CVE-2023-35164
26 Jun 2023 — DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34463 – Unauthorized users can delete applications in DataEase
https://notcve.org/view.php?id=CVE-2023-34463
26 Jun 2023 — DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions Unauthorized users can delete an application erroneously. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/dataease/dataease/security/advisories/GHSA-4c4p-qfwq-85fj • CWE-862: Missing Authorization •