DataEase has a vulnerability to obtain user cookies
CVE-2023-40183

7.5HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 21 September 2023

What is CVE-2023-40183?

DataEase, an open-source data visualization and analysis tool, harbors a vulnerability that could allow attackers to capture user cookies. This issue arises from the application only utilizing the ImageIO.read() method to verify file types, lacking sufficient whitelisting for file suffixes. Consequently, an attacker can embed malicious code within an image file by altering its extension to HTML. Once uploaded, the attacker can access links and potentially steal sensitive user cookies. This vulnerability has been addressed in version 1.18.11, and no workarounds are available.

Affected Version(s)

dataease < 1.18.11

References

https://github.com/dataease/dataease/security/advisories/...

x_refsource_CONFIRM

https://github.com/dataease/dataease/commit/8265130531467...

x_refsource_MISC

https://github.com/dataease/dataease/releases/tag/v1.18.11

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 21, 2023
Vulnerability Reserved
Aug 9, 2023

Dataease

What is CVE-2023-40183?

Affected Version(s)

References

CVSS V3.1

Timeline