CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34463 – Unauthorized users can delete applications in DataEase
https://notcve.org/view.php?id=CVE-2023-34463
DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions Unauthorized users can delete an application erroneously. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/dataease/dataease/security/advisories/GHSA-4c4p-qfwq-85fj • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-35168 – DataEase has a privilege bypass vulnerability
https://notcve.org/view.php?id=CVE-2023-35168
DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. Affected versions of DataEase has a privilege bypass vulnerability where ordinary users can gain access to the user database. Exposed information includes md5 hashes of passwords, username, email, and phone number. The vulnerability has been fixed in v1.18.8. Users are advised to upgrade. • https://github.com/dataease/dataease/security/advisories/GHSA-c2r2-68p6-73xv • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33963 – DataEase data source has deserialization vulnerability
https://notcve.org/view.php?id=CVE-2023-33963
DataEase is an open source data visualization and analysis tool. Prior to version 1.18.7, a deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. • https://github.com/dataease/dataease/releases/tag/v1.18.7 https://github.com/dataease/dataease/security/advisories/GHSA-m26j-gh4m-xh9f • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32310 – DataEase API interface has IDOR vulnerability
https://notcve.org/view.php?id=CVE-2023-32310
DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. • https://github.com/dataease/dataease/commit/72f428e87b5395c03d2f94ef6185fc247ddbc8dc https://github.com/dataease/dataease/pull/5342 https://github.com/dataease/dataease/releases/tag/v1.18.7 https://github.com/dataease/dataease/security/advisories/GHSA-7hv6-gv38-78wj • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28637 – DataEase AWS redshift data source exists for remote code execution vulnerability
https://notcve.org/view.php?id=CVE-2023-28637
DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code execution. This vulnerability has been fixed in v1.18.5. Users are advised to upgrade. • https://github.com/dataease/dataease/security/advisories/GHSA-8wg2-9gwc-5fx2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •