CVE-2023-28435: Dataease file upload interface does not verify permission or file type
First published: Fri Mar 24 2023(Updated: )
Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These vulnerabilities has been fixed in version 1.18.5.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dataease | <1.18.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-28435?
CVE-2023-28435 is a vulnerability in Dataease, an open source data visualization and analysis tool, where the permissions for the file upload interface are not checked, allowing users who are not logged in to upload directly to the background.
What is the severity of CVE-2023-28435?
CVE-2023-28435 has a severity value of 6.1, which is considered medium.
What is the affected software for CVE-2023-28435?
The affected software for CVE-2023-28435 is Dataease version up to exclusive 1.18.5.
How can I fix CVE-2023-28435?
To fix CVE-2023-28435, it is recommended to update Dataease to a version that includes the necessary security patches.
Where can I find more information about CVE-2023-28435?
More information about CVE-2023-28435 can be found in the GitHub issues and security advisories for Dataease.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/dataease
- canonical/dataease