FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-45595

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Sep 10, 2024 / Updated: 2mo ago

010
CVSS 9.8EPSS 0.05%Critical
CVE info copied to clipboard

Summary

D-Tale, a visualizer for Pandas data structures, contains a vulnerability that allows remote code execution when hosted publicly. This vulnerability is due to improper input validation, specifically in the "Custom Filter" input. The vulnerability affects versions of D-Tale prior to 3.14.1.

Impact

Attackers can exploit this vulnerability to run malicious code on the server hosting D-Tale. This could lead to unauthorized access, data manipulation, or further system compromise. The vulnerability has a high impact on confidentiality, integrity, and availability, as indicated by the CVSS v3.1 base score of 9.8 (Critical). The attack vector is network-based, requires no user interaction, and can be executed without any privileges, making it particularly severe.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default. The patch was added on 2024-09-10, and the vulnerability is considered patched.

Mitigation

1. Upgrade D-Tale to version 3.14.1 or later immediately. 2. If immediate upgrading is not possible, avoid hosting D-Tale publicly. 3. Implement strong input validation and sanitization mechanisms. 4. Apply the principle of least privilege to limit potential damage from successful exploits. 5. Monitor systems for suspicious activities that might indicate exploitation attempts. 6. Regularly check for and apply security updates for D-Tale and related components.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (5000917)

Sep 10, 2024 at 7:53 AM
Vendor Advisory

GitHub Advisories released a security advisory.

Sep 10, 2024 at 3:23 PM
CVE Assignment

NVD published the first details for CVE-2024-45595

Sep 10, 2024 at 4:15 PM
First Article

Feedly found the first article mentioning CVE-2024-45595. See article

Sep 10, 2024 at 4:19 PM / CVE
CVSS

A CVSS base score of 6.1 has been assigned.

Sep 10, 2024 at 4:20 PM / nvd
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Sep 10, 2024 at 4:20 PM
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Sep 11, 2024 at 10:13 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Sep 20, 2024 at 8:00 PM / nvd
Static CVE Timeline Graph

Affected Systems

Man/d-tale
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

Vendor Advisory

[GHSA-pw44-4h99-wqff] D-Tale vulnerable to Remote Code Execution through the Query input on Chart Builder
GitHub Advisory Database / 2mo
The only workaround for versions earlier than 3.14.1 is to only host D-Tale to trusted users. Package Information

News

Update Sun Sep 29 14:30:57 UTC 2024
Recent Commits to cve:main / 51d
Update Sun Sep 29 14:30:57 UTC 2024
CVE-2024-45595
CyberSecurityBoard.com Cyber News | Atom Feed / 2mo
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default. CVE-2024-45595 originally published on CyberSecurityBoard
Update Thu Sep 19 14:35:12 UTC 2024
Recent Commits to cve:main / 2mo
Update Thu Sep 19 14:35:12 UTC 2024
[GHSA-pw44-4h99-wqff] D-Tale vulnerable to Remote Code Execution through the Query input on Chart Builder
GitHub Advisory Database / 2mo
The only workaround for versions earlier than 3.14.1 is to only host D-Tale to trusted users. Package Information
NA - CVE-2024-45595 - D-Tale is a visualizer for Pandas data...
Security-Database Alerts Monitor : Last 100 Alerts / 2mo
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should...
See 5 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.8(27010)CWE-79(31345)CWE-74(1406)Man(4)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial