CVE-2023-35168
MEDIUMDataease < 1.18.8 - Incorrect Permission Assignment
Title source: ruleDescription
DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. Affected versions of DataEase has a privilege bypass vulnerability where ordinary users can gain access to the user database. Exposed information includes md5 hashes of passwords, username, email, and phone number. The vulnerability has been fixed in v1.18.8. Users are advised to upgrade. There are no known workarounds for the vulnerability.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/dataease/dataease/security/advisories/GHSA-c2r2-68p6-73xv
Scores
CVSS v3
6.5
EPSS
0.0007
EPSS Percentile
22.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-732
Status
published
Products (1)
dataease/dataease
< 1.18.8
Published
Jun 26, 2023
Tracked Since
Feb 18, 2026