Impact
When saving a dashboard on the DataEase platform, the effect of permanently storing malicious code is achieved by modifying the saved data.
For example, modify the propValue field in the saved data so that it pops up a dialog with XSS content, "propValue:123<audio src=x onerror=confirm('XSS')>".
Trigger the payload:
The vulnerability can lead to the execution of malicious code stored by the attacker on the server side when the user then accesses the DataEase dashboard and causes damage.
Affected versions: <= 1.18.2
Patches
The vulnerability has been fixed in v1.18.3.
Workarounds
It is recommended to upgrade the version to v1.18.3.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com
Impact
When saving a dashboard on the DataEase platform, the effect of permanently storing malicious code is achieved by modifying the saved data.
For example, modify the propValue field in the saved data so that it pops up a dialog with XSS content, "propValue:123<audio src=x onerror=confirm('XSS')>".
Trigger the payload:
The vulnerability can lead to the execution of malicious code stored by the attacker on the server side when the user then accesses the DataEase dashboard and causes damage.
Affected versions: <= 1.18.2
Patches
The vulnerability has been fixed in v1.18.3.
Workarounds
It is recommended to upgrade the version to v1.18.3.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com