CVE-2024-46985

Source
https://cve.org/CVERecord?id=CVE-2024-46985
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46985.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-46985
Aliases
Published
2024-09-23T15:12:21.539Z
Modified
2026-07-08T06:53:03.990429455Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
DataEase has an XXE vulnerability
Details

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46985.json",
    "cwe_ids": [
        "CWE-611"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/dataease/dataease

Affected ranges

Type
GIT
Repo
https://github.com/dataease/dataease
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.10.1"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v2.*
v2.10.0
v2.2.0
v2.3.0
v2.6.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46985.json"