CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21642 – D-Tale server-side request forgery through Web uploads
https://notcve.org/view.php?id=CVE-2024-21642
05 Jan 2024 — D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users. D-Tale es un visualizador de estructuras de datos de Pandas. • https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46134 – D-Tale vulnerable to Remote Code Execution through the Custom Filter Input
https://notcve.org/view.php?id=CVE-2023-46134
25 Oct 2023 — D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users. D-Tale es la combinación de un back-end de Flask y un front-e... • https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •