XML External Entity Injection in DataEase Data Visualization Tool
CVE-2024-46985

7.5HIGH

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 23 September 2024

What is CVE-2024-46985?

An XML external entity injection vulnerability exists in the static resource upload interface of the DataEase data visualization tool, impacting versions prior to 2.10.1. This security flaw allows attackers to create specially crafted payloads that can trigger intranet detection and enable unauthorized access to sensitive files, posing serious risks to the integrity and confidentiality of the data processed by the tool. Users of affected versions are strongly encouraged to update to version 2.10.1 or later to mitigate this vulnerability.

References

https://github.com/dataease/dataease/security/advisories/...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 23, 2024

Dataease

What is CVE-2024-46985?

References

CVSS V3.1

Timeline