CVE-2023-28435— Dataease file upload interface does not verify permission or file type

Dataease file upload interface does not verify permission or file type

Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

DataEase 跨站脚本漏洞

DataEase是一个开源的数据可视化分析工具。用于帮助用户快速分析数据并洞察业务趋势，从而实现业务的改进与优化。 DataEase 1.18.4及之前版本存在跨站脚本漏洞，该漏洞源于没有检查文件上传界面的权限。

N/A

N/A