Andrew Schonfeld (Boston) - Security Researcher - Exploit Intelligence Platform

CVE-2024-45595 WRITEUP MEDIUM WRITEUP

d-tale < 3.14.1 - Remote Code Execution via Custom Filter Input

D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.

CVSS 6.1

View Code

CVE-2023-46134 WRITEUP MEDIUM WRITEUP

D-Tale < 3.7.0 - Remote Code Execution via Custom Filter Input

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.

CVSS 6.1

View Code

CVE-2024-21642 WRITEUP HIGH WRITEUP

D-Tale < 3.9.0 - Server-Side Request Forgery via Load From the Web Input

D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.

CVSS 7.5

View Code