CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-35164 – Unauthorized users can manipulate a dashboard created by an administrator in DataEase
https://notcve.org/view.php?id=CVE-2023-35164
26 Jun 2023 — DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34463 – Unauthorized users can delete applications in DataEase
https://notcve.org/view.php?id=CVE-2023-34463
26 Jun 2023 — DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions Unauthorized users can delete an application erroneously. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/dataease/dataease/security/advisories/GHSA-4c4p-qfwq-85fj • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-35168 – DataEase has a privilege bypass vulnerability
https://notcve.org/view.php?id=CVE-2023-35168
26 Jun 2023 — DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. Affected versions of DataEase has a privilege bypass vulnerability where ordinary users can gain access to the user database. Exposed information includes md5 hashes of passwords, username, email, and phone number. The vulnerability has been fixed in v1.18.8. Users are advised to upgrade. • https://github.com/dataease/dataease/security/advisories/GHSA-c2r2-68p6-73xv • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-33963 – DataEase data source has deserialization vulnerability
https://notcve.org/view.php?id=CVE-2023-33963
01 Jun 2023 — DataEase is an open source data visualization and analysis tool. Prior to version 1.18.7, a deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. • https://github.com/dataease/dataease/releases/tag/v1.18.7 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32310 – DataEase API interface has IDOR vulnerability
https://notcve.org/view.php?id=CVE-2023-32310
01 Jun 2023 — DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. • https://github.com/dataease/dataease/commit/72f428e87b5395c03d2f94ef6185fc247ddbc8dc • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 1CVE-2023-28637 – DataEase AWS redshift data source exists for remote code execution vulnerability
https://notcve.org/view.php?id=CVE-2023-28637
28 Mar 2023 — DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code execution. This vulnerability has been fixed in v1.18.5. Users are advised to upgrade. • https://github.com/dataease/dataease/security/advisories/GHSA-8wg2-9gwc-5fx2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2023-28437 – SQL injection vulnerability due to the keyword blacklist for defending against SQL injection will be bypassed
https://notcve.org/view.php?id=CVE-2023-28437
24 Mar 2023 — Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds. • https://github.com/dataease/dataease/issues/4795 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-28435 – Dataease file upload interface does not verify permission or file type
https://notcve.org/view.php?id=CVE-2023-28435
24 Mar 2023 — Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5. • https://github.com/dataease/dataease/issues/4798 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25807 – DataEase dashboard has a stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2023-25807
28 Feb 2023 — DataEase is an open source data visualization and analysis tool. When saving a dashboard on the DataEase platform saved data can be modified and store malicious code. This vulnerability can lead to the execution of malicious code stored by the attacker on the server side when the user accesses the dashboard. The vulnerability has been fixed in version 1.18.3. • https://github.com/dataease/dataease/commit/cc94fb8e69ddbb37c96d02ec0f0ddcd74273ef49 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-38239
https://notcve.org/view.php?id=CVE-2021-38239
15 Feb 2023 — SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10. • https://github.com/dataease/dataease/issues/510 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •