CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55890 – D-Tale allows Remote Code Execution through the Custom Filter Input
https://notcve.org/view.php?id=CVE-2024-55890
13 Dec 2024 — D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users. • https://github.com/man-group/dtale#custom-filter • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49224 – WordPress Mitm Bug Tracker plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-49224
14 Oct 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Mahesh Patel Mitm Bug Tracker allows Reflected XSS.This issue affects Mitm Bug Tracker: from n/a through 1.0. La vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Mahesh Patel Mitm Bug Tracker permite XSS reflejado. Este problema afecta a Mitm Bug Tracker: desde n/a hasta 1.0. The Mitm Bug Tracker plugin for WordPress is v... • https://patchstack.com/database/vulnerability/mitm-bug-tracker/wordpress-mitm-bug-tracker-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45595 – D-Tale allows Remote Code Execution through the Query input on Chart Builder
https://notcve.org/view.php?id=CVE-2024-45595
10 Sep 2024 — D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default. • https://github.com/man-group/dtale#custom-filter • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-3408 – Authentication Bypass and RCE in man-group/dtale
https://notcve.org/view.php?id=CVE-2024-3408
06 Jun 2024 — man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `... • https://packetstorm.news/files/id/189509 • CWE-20: Improper Input Validation CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21642 – D-Tale server-side request forgery through Web uploads
https://notcve.org/view.php?id=CVE-2024-21642
05 Jan 2024 — D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users. D-Tale es un visualizador de estructuras de datos de Pandas. • https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46134 – D-Tale vulnerable to Remote Code Execution through the Custom Filter Input
https://notcve.org/view.php?id=CVE-2023-46134
25 Oct 2023 — D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users. D-Tale es la combinación de un back-end de Flask y un front-e... • https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-46021
https://notcve.org/view.php?id=CVE-2022-46021
31 Mar 2023 — X-Man 1.0 has a SQL injection vulnerability, which can cause data leakage. • https://github.com/Howard512966/x-man-injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2018-25078 – Gentoo Linux Security Advisory 202310-08
https://notcve.org/view.php?id=CVE-2018-25078
25 Jan 2023 — man-db before 2.8.5 on Gentoo allows local users (with access to the man user account) to gain root privileges because /usr/bin/mandb is executed by root but not owned by root. (Also, the owner can strip the setuid and setgid bits.) A root privilege escalation through setuid executable and cron job has been discovered in man-db. Versions greater than or equal to 2.8.5 are affected. • https://bugs.gentoo.org/662438 •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2018-17046
https://notcve.org/view.php?id=CVE-2018-17046
14 Sep 2018 — translate man before 2018-08-21 has XSS via containers/outputBox/outputBox.vue and store/index.js. translate man antes del 2018-08-21 tiene Cross-Site Scripting (XSS) mediante containers outputBox outputBox.vue y store index.js. • https://github.com/magic-FE/translate-man/issues/49 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2018-14429 – man-cgi Local File Inclusion
https://notcve.org/view.php?id=CVE-2018-14429
08 Aug 2018 — man-cgi before 1.16 allows Local File Inclusion via absolute path traversal, as demonstrated by a cgi-bin/man-cgi?/etc/passwd URI. man-cgi en versiones anteriores a la 1.16 permite la inclusión de archivos locales mediante un salto de directorio absoluto, tal y como queda demostrado con un URI cgi-bin/man-cgi?/etc/passwd. man-cgi versions prior to 1.16 suffer from a local file inclusion vulnerability. • https://packetstorm.news/files/id/148855 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •