Highresure

**Name of the Vulnerable Software and Affected Versions** DataLens versions prior to 0.1449.0 **Description** A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. **Recommendations** For versions prior to 0.1449.0, update to version 0.1449.0 to resolve the issue. As a temporary workaround, consider restricting access to the API for creating or modifying charts ("/charts/api/charts/v1/") to mitigate the issue.