CVE-2023-46134

Published: Oct 25, 2023Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.

Affected (1)

Products: Man: D Tale

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Man D Tale	Before 3.7.0

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (4)

https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668

Source: security-advisories@github.com

Patch

https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm

Source: security-advisories@github.com

Vendor Advisory

https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.