6 results (0.004 seconds)

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0

DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2. • https://github.com/dataease/dataease/commit/e755248d59543bcd668ace495f293ff735fa82e9 https://github.com/dataease/dataease/security/advisories/GHSA-45v9-gfcv-xcq6 • CWE-798: Use of Hard-coded Credentials •

CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0

DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions a the lack of signature verification of jwt tokens allows attackers to forge jwts which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/dataease/dataease/security/advisories/GHSA-5jr4-wrm2-xj36 • CWE-347: Improper Verification of Cryptographic Signature •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1. • https://github.com/dataease/dataease/security/advisories/GHSA-h7mj-m72h-qm8w • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1. • https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm • CWE-611: Improper Restriction of XML External Entity Reference •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading. DataEase, una herramienta de análisis y visualización de datos de código abierto, tiene una vulnerabilidad de exposición de información de configuración de base de datos anterior a la versión 2.5.0. • https://github.com/dataease/dataease/releases/tag/v2.5.0 https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •