An5Er

**Name of the Vulnerable Software and Affected Versions** DataEase versions prior to 1.18.19 **Description** DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file reading. **Recommendations** For versions prior to 1.18.19, update to version 1.18.19 to resolve the issue. As a temporary workaround, consider restricting access to the ClickHouse data source connection parameters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** 1Panel versions prior to 1.10.3-lts **Description** The issue is related to command injections in the project that are not well filtered, leading to arbitrary file writes and ultimately to remote code executions (RCEs). The mirror configuration write symbol `>` can be used to achieve arbitrary file writing. This can be exploited by sending a maliciously crafted packet to write to an arbitrary file, potentially leading to a host takeover. The vulnerability can be exploited through the "/api/v1/containers/search/log" API endpoint, allowing an attacker to write customized files, such as ssh keys, and execute any command. **Recommendations** For versions prior to 1.10.3-lts, update to version 1.10.3-lts to fix the vulnerability. As a temporary workaround, consider restricting access to the "/api/v1/containers/search/log" API endpoint to minimize the risk of exploitation. Additionally, avoid using the mirror configuration write symbol `>` until the issue is resolved.