D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\views.py, under the route @dtale.route("/chart-data/<data_id>"), the query parameters from the request are directly passed into runquery for execution. And the runquery function calls proceed without performing any processing or sanitization of the query parameter. As a result, the query is directly used in the df.query method for data retrieval. Tthe engine used is python
, which allows executing the query expression ans leading to a command execution vulnerability.
{ "nvd_published_at": "2024-09-14T20:15:11Z", "cwe_ids": [ "CWE-74" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-20T19:50:07Z" }