Home > Vulnerability Database > CVE-2023-40183

Mend.io Vulnerability Database

CVE-2023-40183

Good to know:

Date: September 21, 2023

DataEase is an open source data visualization and analysis tool. Prior to version 1.18.11, DataEase has a vulnerability that allows an attacker to to obtain user cookies. The program only uses the `ImageIO.read()` method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links. The vulnerability has been fixed in v1.18.11. There are no known workarounds.

Language: Java

Severity Score

5.3

Related Resources (5)

Url: https://github.com/dataease/dataease/commit/826513053146721a2b3e09a9c9d3ea41f8f10569

Url: https://github.com/dataease/dataease/security/advisories/GHSA-w2r4-2r4w-fjxv

Url: https://github.com/dataease/dataease/releases/tag/v1.18.11

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-40183

Url: https://www.mend.io/vulnerability-database/CVE-2023-40183

Severity Score

5.3

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

Upgrade Version

Upgrade to version v1.18.11

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-40183

Good to know:

Date: September 21, 2023

Language: Java

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?