CVE-2025-49002

DataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34	Exploit Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7	Exploit Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

05 Jun 2025, 14:07

Type	Values Removed	Values Added
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34 -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34 - Exploit, Third Party Advisory
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 - Exploit, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CWE		NVD-CWE-Other
First Time		Dataease dataease Dataease
CPE		cpe:2.3:a:dataease:dataease::::::::

04 Jun 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 -
Summary		(es) DataEase es una herramienta de código abierto para inteligencia empresarial y visualización de datos. Las versiones anteriores a la 2.10.10 presentan una vulnerabilidad en el parche para CVE-2025-32966 que permite omitir el parche mediante la insensibilidad a mayúsculas y minúsculas, ya que INIT y RUNSCRIPT están prohibidos. Esta vulnerabilidad se ha corregido en la versión 2.10.10. No se conocen workarounds.

03 Jun 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 21:15

Updated : 2025-06-05 14:07

NVD link : CVE-2025-49002

Mitre link : CVE-2025-49002

CVE.ORG link : CVE-2025-49002

JSON object : View

Products Affected

dataease

dataease

CWE

CWE-290

Authentication Bypass by Spoofing

NVD-CWE-Other

9.8 /10