Page 3 of 24 results (0.007 seconds)

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1

DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. • https://github.com/dataease/dataease/commit/826513053146721a2b3e09a9c9d3ea41f8f10569 https://github.com/dataease/dataease/releases/tag/v1.18.11 https://github.com/dataease/dataease/security/advisories/GHSA-w2r4-2r4w-fjxv • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, DataEase has a SQL injection vulnerability that can bypass blacklists. The vulnerability has been fixed in v1.18.9. There are no known workarounds. DataEase es una herramienta de análisis de visualización de datos de código abierto. • https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/controller/panel/AppLogController.java#L41 https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/ext/ExtDataSourceMapper.java https://github.com/dataease/dataease/security/advisories/GHSA-r39x-fcc6-47g4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1

DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, the DataEase panel and dataset have a stored cross-site scripting vulnerability. The vulnerability has been fixed in v1.18.9. There are no known workarounds. DataEase es una herramienta de análisis de visualización de datos de código abierto. • https://github.com/dataease/dataease/releases/tag/v1.18.9 https://github.com/dataease/dataease/security/advisories/GHSA-7cm3-9pp6-q2fq • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1

DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj • CWE-862: Missing Authorization •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1

DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions Unauthorized users can delete an application erroneously. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/dataease/dataease/security/advisories/GHSA-4c4p-qfwq-85fj • CWE-862: Missing Authorization •