logo
Vulnerability feed
CONTRIBUTE

Vulnerability

warn

CVE-2023-40183

Reference to the description:

https://nvd.nist.gov/vuln/detail/CVE-2023-40183

Description:
DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links. The vulnerability has been fixed in v1.18.11. There are no known workarounds.
Last updated date:
09/26/2023
Type:
exploit
Confidence:
HIGH
Date of publishing:
09/26/2023
Reference url to background

https://github.com/dataease/dataease/security/advisories/GHSA-w2r4-2r4w-fjxv

Vulnerability FeedContributorsAboutBlog

@inTheWild

©2024

Privacy Policy