CVE-2023-32310

Exploit

EPSS 0.15%
Published 01.06.2023 16:15:09
Last modified 21.11.2024 08:03:05
Source security-advisories@github.com
Teams watchlist Login
Open Login

DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability has been fixed in v1.18.7. There are no known workarounds aside from upgrading.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Dataease ≫ Dataease Version < 1.18.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.15%	0.361

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
security-advisories@github.com	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/dataease/dataease/commit/72f428e87b5395c03d2f94ef6185fc247ddbc8dc

Patch

https://github.com/dataease/dataease/pull/5342

Patch

Vendor Advisory

https://github.com/dataease/dataease/releases/tag/v1.18.7

Release Notes

https://github.com/dataease/dataease/security/advisories/GHSA-7hv6-gv38-78wj

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-32310

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-32310

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-32310

EUVD