Search criteria
8 vulnerabilities found for dtale by man-group
CVE-2024-55890 (GCVE-0-2024-55890)
Vulnerability from cvelistv5 – Published: 2024-12-13 18:00 – Updated: 2024-12-13 18:48
VLAI?
Title
D-Tale allows Remote Code Execution through the Custom Filter Input
Summary
D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:48:32.945370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:48:43.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:00:04.173Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-832w-fhmw-w4f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-832w-fhmw-w4f4"
},
{
"name": "https://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a"
},
{
"name": "https://github.com/man-group/dtale#custom-filter",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale#custom-filter"
}
],
"source": {
"advisory": "GHSA-832w-fhmw-w4f4",
"discovery": "UNKNOWN"
},
"title": "D-Tale allows Remote Code Execution through the Custom Filter Input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55890",
"datePublished": "2024-12-13T18:00:04.173Z",
"dateReserved": "2024-12-12T15:03:39.205Z",
"dateUpdated": "2024-12-13T18:48:43.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45595 (GCVE-0-2024-45595)
Vulnerability from cvelistv5 – Published: 2024-09-10 16:03 – Updated: 2024-09-10 18:56
VLAI?
Title
D-Tale allows Remote Code Execution through the Query input on Chart Builder
Summary
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T18:56:46.364218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T18:56:57.922Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.14.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the \"Custom Filter\" input is turned off by default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T16:03:56.717Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff"
},
{
"name": "https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8"
},
{
"name": "https://github.com/man-group/dtale#custom-filter",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale#custom-filter"
}
],
"source": {
"advisory": "GHSA-pw44-4h99-wqff",
"discovery": "UNKNOWN"
},
"title": "D-Tale allows Remote Code Execution through the Query input on Chart Builder"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45595",
"datePublished": "2024-09-10T16:03:56.717Z",
"dateReserved": "2024-09-02T16:00:02.423Z",
"dateUpdated": "2024-09-10T18:56:57.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21642 (GCVE-0-2024-21642)
Vulnerability from cvelistv5 – Published: 2024-01-05 21:11 – Updated: 2025-06-17 20:29
VLAI?
Title
D-Tale server-side request forgery through Web uploads
Summary
D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"
},
{
"name": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"
},
{
"name": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21642",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-08T15:25:38.388086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:14.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T21:11:41.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"
},
{
"name": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"
},
{
"name": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"
}
],
"source": {
"advisory": "GHSA-7hfx-h3j3-rwq4",
"discovery": "UNKNOWN"
},
"title": "D-Tale server-side request forgery through Web uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21642",
"datePublished": "2024-01-05T21:11:41.528Z",
"dateReserved": "2023-12-29T03:00:44.958Z",
"dateUpdated": "2025-06-17T20:29:14.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46134 (GCVE-0-2023-46134)
Vulnerability from cvelistv5 – Published: 2023-10-25 20:51 – Updated: 2024-09-10 14:06
VLAI?
Title
D-Tale vulnerable to Remote Code Execution through the Custom Filter Input
Summary
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm"
},
{
"name": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T13:58:12.597618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T14:06:54.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is the combination of a Flask back-end and a React front-end to view \u0026 analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off \"Custom Filter\" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T20:51:40.321Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm"
},
{
"name": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668"
}
],
"source": {
"advisory": "GHSA-jq6c-r9xf-qxjm",
"discovery": "UNKNOWN"
},
"title": "D-Tale vulnerable to Remote Code Execution through the Custom Filter Input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46134",
"datePublished": "2023-10-25T20:51:40.321Z",
"dateReserved": "2023-10-16T17:51:35.574Z",
"dateUpdated": "2024-09-10T14:06:54.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-55890 (GCVE-0-2024-55890)
Vulnerability from nvd – Published: 2024-12-13 18:00 – Updated: 2024-12-13 18:48
VLAI?
Title
D-Tale allows Remote Code Execution through the Custom Filter Input
Summary
D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-55890",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T18:48:32.945370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:48:43.721Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.16.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T18:00:04.173Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-832w-fhmw-w4f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-832w-fhmw-w4f4"
},
{
"name": "https://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a"
},
{
"name": "https://github.com/man-group/dtale#custom-filter",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale#custom-filter"
}
],
"source": {
"advisory": "GHSA-832w-fhmw-w4f4",
"discovery": "UNKNOWN"
},
"title": "D-Tale allows Remote Code Execution through the Custom Filter Input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-55890",
"datePublished": "2024-12-13T18:00:04.173Z",
"dateReserved": "2024-12-12T15:03:39.205Z",
"dateUpdated": "2024-12-13T18:48:43.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45595 (GCVE-0-2024-45595)
Vulnerability from nvd – Published: 2024-09-10 16:03 – Updated: 2024-09-10 18:56
VLAI?
Title
D-Tale allows Remote Code Execution through the Query input on Chart Builder
Summary
D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-45595",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T18:56:46.364218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T18:56:57.922Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.14.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the \"Custom Filter\" input is turned off by default."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T16:03:56.717Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff"
},
{
"name": "https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8"
},
{
"name": "https://github.com/man-group/dtale#custom-filter",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale#custom-filter"
}
],
"source": {
"advisory": "GHSA-pw44-4h99-wqff",
"discovery": "UNKNOWN"
},
"title": "D-Tale allows Remote Code Execution through the Query input on Chart Builder"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-45595",
"datePublished": "2024-09-10T16:03:56.717Z",
"dateReserved": "2024-09-02T16:00:02.423Z",
"dateUpdated": "2024-09-10T18:56:57.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-21642 (GCVE-0-2024-21642)
Vulnerability from nvd – Published: 2024-01-05 21:11 – Updated: 2025-06-17 20:29
VLAI?
Title
D-Tale server-side request forgery through Web uploads
Summary
D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.
Severity ?
7.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:35.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"
},
{
"name": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"
},
{
"name": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21642",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-08T15:25:38.388086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:29:14.066Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.9.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T21:11:41.528Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"
},
{
"name": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"
},
{
"name": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"
}
],
"source": {
"advisory": "GHSA-7hfx-h3j3-rwq4",
"discovery": "UNKNOWN"
},
"title": "D-Tale server-side request forgery through Web uploads"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-21642",
"datePublished": "2024-01-05T21:11:41.528Z",
"dateReserved": "2023-12-29T03:00:44.958Z",
"dateUpdated": "2025-06-17T20:29:14.066Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46134 (GCVE-0-2023-46134)
Vulnerability from nvd – Published: 2023-10-25 20:51 – Updated: 2024-09-10 14:06
VLAI?
Title
D-Tale vulnerable to Remote Code Execution through the Custom Filter Input
Summary
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:37:39.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm"
},
{
"name": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-10T13:58:12.597618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-10T14:06:54.153Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dtale",
"vendor": "man-group",
"versions": [
{
"status": "affected",
"version": "\u003c 3.7.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "D-Tale is the combination of a Flask back-end and a React front-end to view \u0026 analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off \"Custom Filter\" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-25T20:51:40.321Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/man-group/dtale/security/advisories/GHSA-jq6c-r9xf-qxjm"
},
{
"name": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/man-group/dtale/commit/bf8c54ab2490803f45f0652a9a0e221a94d39668"
}
],
"source": {
"advisory": "GHSA-jq6c-r9xf-qxjm",
"discovery": "UNKNOWN"
},
"title": "D-Tale vulnerable to Remote Code Execution through the Custom Filter Input"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46134",
"datePublished": "2023-10-25T20:51:40.321Z",
"dateReserved": "2023-10-16T17:51:35.574Z",
"dateUpdated": "2024-09-10T14:06:54.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}