CVE-2023-46134

EPSS 0.76%
Veröffentlicht 25.10.2023 21:15:10
Zuletzt bearbeitet 21.11.2024 08:27:57
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

D-Tale vulnerable to Remote Code Execution through the Custom Filter Input

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Man ≫ D-tale Version < 3.7.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.76%	0.503

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668

Patch

https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-46134

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-46134

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-46134

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-46134