Skip to content

The DataEase panel and dataset have stored XSS vulnerability

High
fit2cloudrd published GHSA-7cm3-9pp6-q2fq Jul 24, 2023

Package

maven io.dataease (Maven)

Affected versions

<= 1.18.8

Patched versions

1.18.9

Description

Impact

The DataEase panel and dataset have stored XSS vulnerability.

Visit the following address: https://github.com/search?q=repo%3Adataease%2Fdataease%20%20v-html%3D%22&type=code.
During a global search, it was discovered that some outputs were filtered for XSS encoding using 'v-html="’, while there are still some output areas that may pose a risk for stored XSS vulnerabilities.
image

image

However, there are still some outputs that have not been protected. As DataEase allows for collaboration among multiple users, other users within the same organization or administrator users who access the server via a browser and execute the attacker's stored JavaScript code may cause security issues such as cookie leakage.

Stored XSS vulnerability demonstration is as follows:
(1) https://dataease.fit2cloud.com/#/panel/index
image

v-html="templateContentChange"

Create a dashboard named <audio src=x onerror=confirm('XSS')>
image

Selecting export to PDF triggers XSS.
image
image

(2) https://dataease.fit2cloud.com/#/dataset/index
image

Create a directory named <audio src=x onerror=confirm('XSS')>
image
Select 'Move to' and bring up the LazyTree interface.
image
image
Expanding the tree structure triggers XSS.
image

Affected versions: <= 1.18.9

Patches

The vulnerability has been fixed in v1.18.9.

Workarounds

It is recommended to upgrade the version to v1.18.9.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com

Severity

High

CVE ID

CVE-2023-37257

Weaknesses

No CWEs

Credits