CVE-2025-62421 MEDIUM

CVE-2025-62421: DataEase vulnerable to stored cross-site scripting via file upload bypass

Vendor Dataease
Product dataease
Weakness CWE-79 · XSS
Published October 17, 2025
Last update October 17, 2025
View on NVD All CVEs

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P

What the vulnerability does

01Description

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/{fileId} that uses a URL path parameter where both the filename and extension of uploaded files are controllable by users. During permission validation, the TokenFilter invokes the WhitelistUtils#match method to determine if the URL path is in the allowlist. If the requestURI ends with .js or similar extensions, it is directly deemed safe and bypasses permission checks. This allows an attacker to access "upload/1.js" while specifying arbitrary file extensions, enabling the upload of HTML files containing malicious JavaScript. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

Key dates

02Disclosure timeline

October 17, 2025 CVE published
October 17, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-28001 WordPress Favicon Rotator plugin <= 1.2.10 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2021-39343 MPL-Publisher – Self-publish your book & ebook <= 1.30.2 Authenticated Stored Cross-Site Scripting CVE-2026-6034 code-projects Vehicle Showroom Management System ProfitAndLossReport.php cross site scripting CVE-2018-3823 CVE-2025-10295 Angel – Fashion Model Agency WordPress CMS Theme <= 3.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting