CVE-2024-46985
HIGHDataEase < 2.10.1 - XML External Entity Injection via Static Resource Upload
Title source: llmDescription
DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm
Scores
CVSS v3
7.5
EPSS
0.0066
EPSS Percentile
46.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-611
Status
published
Products (2)
dataease/dataease
< 2.10.1
io.dataease/common
0 - 2.10.1Maven
Published
Sep 23, 2024
Tracked Since
Feb 18, 2026