CVE-2023-28435

Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.
References
Link Resource
https://github.com/dataease/dataease/issues/4798 Exploit Issue Tracking Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

31 Mar 2023, 14:28

Type Values Removed Values Added
CPE cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
References (MISC) https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc - (MISC) https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc - Exploit, Vendor Advisory
References (MISC) https://github.com/dataease/dataease/issues/4798 - (MISC) https://github.com/dataease/dataease/issues/4798 - Exploit, Issue Tracking, Third Party Advisory
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.1

27 Mar 2023, 12:40

Type Values Removed Values Added
New CVE

Information

Published : 2023-03-24 21:15

Updated : 2024-02-04 23:37


NVD link : CVE-2023-28435

Mitre link : CVE-2023-28435

CVE.ORG link : CVE-2023-28435


JSON object : View

Products Affected

dataease

  • dataease
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')