CVE-2023-40183 in DataEaseinformação

Sumário

de MITRE • 21/09/2023

DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links. The vulnerability has been fixed in v1.18.11. There are no known workarounds.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

GitHub, Inc.

Reservar

09/08/2023

Divulgação

21/09/2023

Moderação

aceite

Entrada

VDB-240143

CPE

pronto

CWE

CWE-434 (confirmado)

CVSS

5.3 (NVD)

EPSS

0.00102

KEV

não

Atividades

muito baixo

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2023-40183
NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-40183
CVE Details	https://www.cvedetails.com/cve/CVE-2023-40183/

◂ Voltar Visão Geral Próximo ▸

Do you know our Splunk app?

Download it now for free!