7.1
CVE-2026-50530
- EPSS 0.24%
- Veröffentlicht 07.07.2026 20:41:07
- Zuletzt bearbeitet 08.07.2026 15:07:37
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
DataEase: Token with Overly Broad Privileges in Share Mode: Access to Unshared Datasets
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, a share mode chart data interface only validates that sceneId matches the resourceId in the link token and fails to validate whether tableId and field IDs in the request body belong to the shared resource, allowing an attacker with a valid share link token to replace dataset identifiers and retrieve unauthorized data through POST /de2api/chartData/getData. This issue is fixed in version 2.10.24.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerdataease
≫
Produkt
dataease
Version
< 2.10.24
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.147 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.1 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://github.com/dataease/dataease/commit/c4e85a981e53c95b1ea73757db31e3025efdc410
https://github.com/dataease/dataease/releases/tag/v2.10.24
https://github.com/dataease/dataease/security/advisories/GHSA-qcf4-345v-6vg9