CVE-2024-29890 HIGH

CVE-2024-29890: Remote code execution in datalens-ui

Vendor Datalens-Tech
Product datalens
Weakness CWE-79 · XSS
Published March 29, 2024
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. The problem was fixed in the datalens-ui version `0.1449.0`. Restricting access to the API for creating or modifying charts (`/charts/api/charts/v1/`) would mitigate the issue.

Key dates

02Disclosure timeline

March 29, 2024 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-13959 Filestack <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2024-12892 code-projects Online Exam Mastering System sign.php cross site scripting CVE-2022-41702 Delta Electronics DIAEnergie CVE-2023-49846 WordPress Author Avatars List/Block Plugin <= 2.1.17 is vulnerable to Cross Site Scripting (XSS) CVE-2023-1131 SourceCodester Computer Parts Sales and Inventory System customer.php cross site scripting