CVE-2023-35168 – DataEase has a privilege bypass vulnerability
https://notcve.org/view.php?id=CVE-2023-35168
DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. Affected versions of DataEase has a privilege bypass vulnerability where ordinary users can gain access to the user database. Exposed information includes md5 hashes of passwords, username, email, and phone number. The vulnerability has been fixed in v1.18.8. Users are advised to upgrade. • https://github.com/dataease/dataease/security/advisories/GHSA-c2r2-68p6-73xv • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2023-33963 – DataEase data source has deserialization vulnerability
https://notcve.org/view.php?id=CVE-2023-33963
DataEase is an open source data visualization and analysis tool. Prior to version 1.18.7, a deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. • https://github.com/dataease/dataease/releases/tag/v1.18.7 https://github.com/dataease/dataease/security/advisories/GHSA-m26j-gh4m-xh9f • CWE-502: Deserialization of Untrusted Data •
CVE-2023-32310 – DataEase API interface has IDOR vulnerability
https://notcve.org/view.php?id=CVE-2023-32310
DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading. • https://github.com/dataease/dataease/commit/72f428e87b5395c03d2f94ef6185fc247ddbc8dc https://github.com/dataease/dataease/pull/5342 https://github.com/dataease/dataease/releases/tag/v1.18.7 https://github.com/dataease/dataease/security/advisories/GHSA-7hv6-gv38-78wj • CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2023-28637 – DataEase AWS redshift data source exists for remote code execution vulnerability
https://notcve.org/view.php?id=CVE-2023-28637
DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code execution. This vulnerability has been fixed in v1.18.5. Users are advised to upgrade. • https://github.com/dataease/dataease/security/advisories/GHSA-8wg2-9gwc-5fx2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-28437 – SQL injection vulnerability due to the keyword blacklist for defending against SQL injection will be bypassed
https://notcve.org/view.php?id=CVE-2023-28437
Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds. • https://github.com/dataease/dataease/issues/4795 https://github.com/dataease/dataease/releases/tag/v1.18.5 https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •