CVE-2024-45595

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-45595
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/man-group/dtale#custom-filter Product
https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8 Patch
https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*
History

20 Sep 2024, 19:59

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 6.1 		v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*
First Time Man
Man d-tale
Summary
  • (es) D-Tale es un visualizador de estructuras de datos de Pandas. Los usuarios que alojan D-Tale públicamente pueden ser vulnerables a la ejecución remota de código, lo que permite a los atacantes ejecutar código malicioso en el servidor. Los usuarios deben actualizar a la versión 3.14.1, donde la entrada "Filtro personalizado" está desactivada de forma predeterminada.
References () https://github.com/man-group/dtale#custom-filter - () https://github.com/man-group/dtale#custom-filter - Product
References () https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8 - () https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8 - Patch
References () https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff - () https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff - Vendor Advisory
CWE NVD-CWE-noinfo

10 Sep 2024, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-09-10 16:15

Updated : 2024-09-20 19:59

NVD link : CVE-2024-45595

Mitre link : CVE-2024-45595

CVE.ORG link : CVE-2024-45595

JSON object : View

Products Affected

man

  • d-tale
CWE
NVD-CWE-noinfo CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')