CVE-2023-28435

EUVD-2023-32125
Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
GitHub_MCNA
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
Affected Products (NVD)
VendorProductVersion
dataeasedataease
𝑥
< 1.18.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/dataease/dataease/issues/4798
https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc
https://github.com/dataease/dataease/issues/4798
https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc