VYPR

Vendor CVEs

Dataease

All CVEs

80 total · sorted by risk
  • CVE-2025-27103Mar 13, 2025
    risk 0.00cvss epss 0.00

    DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass for the patch for CVE-2024-55953 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been…

  • CVE-2025-24974Mar 13, 2025
    risk 0.00cvss epss 0.00

    DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, authenticated users can read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.6. No known workarounds are…

  • CVE-2024-57707Feb 7, 2025
    risk 0.00cvss epss 0.01

    An issue in DataEase v1 allows an attacker to execute arbitrary code via the user account and password components.

  • CVE-2024-56511Jan 10, 2025
    risk 0.00cvss epss 0.21

    DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which can be bypassed and cause the risk of unauthorized access. In the io.dataease.auth.filter.TokenFilter…

  • CVE-2024-55952Dec 18, 2024
    risk 0.00cvss epss 0.01

    DataEase is an open source business analytics tool. Authenticated users can remotely execute code through the backend JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. Constructing the host as ip:5432/test/?socketFactory=org.springfra…

  • CVE-2024-55953Dec 18, 2024
    risk 0.00cvss epss 0.01

    DataEase is an open source business analytics tool. Authenticated users can read and deserialize arbitrary files through the background JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. This vulnerability has been fixed in v1.18.27.…

  • CVE-2024-52295Nov 13, 2024
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2.

  • CVE-2024-47074Oct 11, 2024
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization analysis tool. In Dataease, the PostgreSQL data source in the data source function can customize the JDBC connection parameters and the PG server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcPro…

  • CVE-2024-46985Sep 23, 2024
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file…

  • CVE-2024-31441May 10, 2024
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file reading. The vulnerability has been fixed in…

  • CVE-2024-23328Feb 1, 2024
    risk 0.00cvss epss 0.01

    Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type…

  • CVE-2023-40183Sep 21, 2023
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not.…

  • CVE-2023-40771Sep 1, 2023
    risk 0.00cvss epss 0.01

    SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function.

  • CVE-2023-37258Jul 25, 2023
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, DataEase has a SQL injection vulnerability that can bypass blacklists. The vulnerability has been fixed in v1.18.9. There are no known workarounds.

  • CVE-2023-37257Jul 25, 2023
    risk 0.00cvss epss 0.00

    DataEase is an open source data visualization analysis tool. Prior to version 1.18.9, the DataEase panel and dataset have a stored cross-site scripting vulnerability. The vulnerability has been fixed in v1.18.9. There are no known workarounds.

  • CVE-2023-35164Jun 26, 2023
    risk 0.00cvss epss 0.00

    DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been…

  • CVE-2023-34463Jun 26, 2023
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions Unauthorized users can delete an application erroneously. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade.…

  • CVE-2023-35168Jun 26, 2023
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. Affected versions of DataEase has a privilege bypass vulnerability where ordinary users can gain access to the user database. Exposed information includes md5…

  • CVE-2023-32310Jun 1, 2023
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization and analysis tool. The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or…

  • CVE-2023-28637Mar 28, 2023
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code…

  • CVE-2023-28437Mar 24, 2023
    risk 0.00cvss epss 0.01

    Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds.

  • CVE-2023-28435Mar 24, 2023
    risk 0.00cvss epss 0.00

    Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes unchecked, users could upload any type of file. These…

  • CVE-2023-25807Feb 28, 2023
    risk 0.00cvss epss 0.01

    DataEase is an open source data visualization and analysis tool. When saving a dashboard on the DataEase platform saved data can be modified and store malicious code. This vulnerability can lead to the execution of malicious code stored by the attacker on the server side when…

  • CVE-2021-38239Feb 15, 2023
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in dataease before 1.2.0, allows attackers to gain sensitive information via the orders parameter to /api/sys_msg/list/1/10.

  • CVE-2022-39312Oct 25, 2022
    risk 0.00cvss epss 0.01

    Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In…

  • CVE-2022-34114Jul 22, 2022
    risk 0.00cvss epss 0.01

    Dataease v1.11.1 was discovered to contain a SQL injection vulnerability via the parameter dataSourceId.

  • CVE-2022-34112Jul 22, 2022
    risk 0.00cvss epss 0.01

    An access control issue in the component /api/plugin/uninstall Dataease v1.11.1 allows attackers to arbitrarily uninstall the plugin, a right normally reserved for the administrator.

  • CVE-2022-34113Jul 22, 2022
    risk 0.00cvss epss 0.01

    An issue in the component /api/plugin/upload of Dataease v1.11.1 allows attackers to execute arbitrary code via a crafted plugin.

  • CVE-2022-34115Jul 22, 2022
    risk 0.00cvss epss 0.01

    DataEase v1.11.1 was discovered to contain a arbitrary file write vulnerability via the parameter dataSourceId.

  • CVE-2022-23331Feb 8, 2022
    risk 0.00cvss epss 0.01

    In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password.

Page 2 of 2