Andrew Schonfeld (Boston)

2 exploits Active since Oct 2023

CVE-2023-46134 WRITEUP MEDIUM WRITEUP

D-Tale <3.7.0 - RCE

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.

CVSS 6.1

View Code

CVE-2024-21642 WRITEUP HIGH WRITEUP

MAN D-tale < 3.9.0 - SSRF

D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.

CVSS 7.5

View Code