9.8
CVE-2024-45595
- EPSS 0.74%
- Veröffentlicht 10.09.2024 16:15:21
- Zuletzt bearbeitet 20.09.2024 19:59:02
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginD-Tale allows Remote Code Execution through the Query input on Chart Builder
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.74% | 0.498 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/man-group/dtale#custom-filter
https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8
https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff