CVE-2024-45595

D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/man-group/dtale#custom-filter	Product
https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8	Patch
https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-10 16:15

Updated : 2024-09-20 19:59

NVD link : CVE-2024-45595

Mitre link : CVE-2024-45595

CVE.ORG link : CVE-2024-45595

JSON object : View

Products Affected

man

d-tale

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

NVD-CWE-noinfo

{"id": "CVE-2024-45595", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-09-10T16:15:21.970", "references": [{"url": "https://github.com/man-group/dtale#custom-filter", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the \"Custom Filter\" input is turned off by default."}, {"lang": "es", "value": "D-Tale es un visualizador de estructuras de datos de Pandas. Los usuarios que alojan D-Tale p\u00fablicamente pueden ser vulnerables a la ejecuci\u00f3n remota de c\u00f3digo, lo que permite a los atacantes ejecutar c\u00f3digo malicioso en el servidor. Los usuarios deben actualizar a la versi\u00f3n 3.14.1, donde la entrada \"Filtro personalizado\" est\u00e1 desactivada de forma predeterminada."}], "lastModified": "2024-09-20T19:59:02.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D13C5E8-29D1-4532-88C1-826651CDA34E", "versionEndExcluding": "3.14.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}