Xuwei

**Name of the Vulnerable Software and Affected Versions** Dataease versions 2.10.19 and earlier **Description** Dataease is a data visualization analysis tool. The static resource upload interface allows SVG uploads. Backend validation only checks if the XML is parseable and if the root node is svg, failing to sanitize active content like `onload`/`onerror` event handlers or script-capable attributes. This allows an attacker to upload a malicious SVG and trigger script execution in a browser by visiting the exposed static resource URL, resulting in a stored cross-site scripting (XSS) exploitation chain. **Recommendations** Update Dataease to version 2.10.20 or later.