Vulnerability Details : CVE-2023-35168
DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. Affected versions of DataEase has a privilege bypass vulnerability where ordinary users can gain access to the user database. Exposed information includes md5 hashes of passwords, username, email, and phone number. The vulnerability has been fixed in v1.18.8. Users are advised to upgrade. There are no known workarounds for the vulnerability.
Products affected by CVE-2023-35168
- cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-35168
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 28 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-35168
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-35168
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-35168
-
https://github.com/dataease/dataease/security/advisories/GHSA-c2r2-68p6-73xv
DataEase has a privilege bypass vulnerability that allows ordinary users to access all user information · Advisory · dataease/dataease · GitHubExploit;Vendor Advisory
Jump to