CVE-2024-45595

D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/man-group/dtale#custom-filter	Product
https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8	Patch
https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*

History

20 Sep 2024, 19:59

Type	Values Removed	Values Added
CPE		cpe:2.3:a:man:d-tale::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~6.1~~	v2 : unknown v3 : 9.8
CWE		NVD-CWE-noinfo
First Time		Man Man d-tale
References	~~() https://github.com/man-group/dtale#custom-filter -~~	() https://github.com/man-group/dtale#custom-filter - Product
References	~~() https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8 -~~	() https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8 - Patch
References	~~() https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff -~~	() https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff - Vendor Advisory

10 Sep 2024, 17:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-10 16:15

Updated : 2024-09-20 19:59

NVD link : CVE-2024-45595

Mitre link : CVE-2024-45595

CVE.ORG link : CVE-2024-45595

JSON object : View

Products Affected

man

d-tale

CWE

NVD-CWE-noinfo CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-45595", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2024-09-10T16:15:21.970", "references": [{"url": "https://github.com/man-group/dtale#custom-filter", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the \"Custom Filter\" input is turned off by default."}, {"lang": "es", "value": "D-Tale es un visualizador de estructuras de datos de Pandas. Los usuarios que alojan D-Tale p\u00fablicamente pueden ser vulnerables a la ejecuci\u00f3n remota de c\u00f3digo, lo que permite a los atacantes ejecutar c\u00f3digo malicioso en el servidor. Los usuarios deben actualizar a la versi\u00f3n 3.14.1, donde la entrada \"Filtro personalizado\" est\u00e1 desactivada de forma predeterminada."}], "lastModified": "2024-09-20T19:59:02.963", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D13C5E8-29D1-4532-88C1-826651CDA34E", "versionEndExcluding": "3.14.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}