DataEase API interface has IDOR vulnerability
CVE-2023-32310

8.1HIGH

Key Information:

Vendor

dataease

Status
dataease
Vendor
CVE Published:
1 June 2023

What is CVE-2023-32310?

The API interface of the DataEase open-source data visualization tool has a vulnerability that allows an attacker to exploit insecure direct object references (IDOR). This can lead to unauthorized deletion of another user's dashboard and system messages, as well as interference with message notifications. The issue has been resolved in version 1.18.7, and users are strongly encouraged to upgrade to ensure their data remains secure. No known bypass methods exist, making an upgrade essential for protection.

Affected Version(s)

dataease < 1.18.7

References

https://github.com/dataease/dataease/security/advisories/...
x_refsource_CONFIRM
https://github.com/dataease/dataease/pull/5342
x_refsource_MISC
https://github.com/dataease/dataease/commit/72f428e87b539...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.