Home > Vulnerability Database > CVE-2024-3408

Mend.io Vulnerability Database

CVE-2024-3408

Date: June 6, 2024

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded "SECRET_KEY" in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the "/update-settings" endpoint, even when "enable_custom_filters" is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.

Language: Python

Severity Score

9.8

Related Resources (6)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-3408

Url: https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91

Url: https://github.com/pypa/advisory-database/tree/main/vulns/dtale/PYSEC-2024-117.yaml

Url: https://github.com/man-group/dtale

Url: https://github.com/man-group/dtale/commit/32bd6fb4a63de779ff1e51823a456865ea3cbd13

Url: https://www.mend.io/vulnerability-database/CVE-2024-3408

Severity Score

9.8

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Improper Input Validation

CWE-20

Use of Hard-coded Credentials

CWE-798

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-3408

Date: June 6, 2024

Language: Python

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?