CVE-2024-46985 HIGH

CVE-2024-46985: DataEase has an XXE vulnerability

Vendor Dataease
Product dataease
Weakness CWE-611 · XXE
Published September 23, 2024
Last update September 23, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1.

Key dates

02Disclosure timeline

September 23, 2024 CVE published
September 23, 2024 Record updated