CVE-2023-32310

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 1.18.7

Description The API interface for DataEase delete dashboard and delete system messages is vulnerable to insecure direct object references (IDOR). This could result in a user deleting another user's dashboard or messages or interfering with the interface for marking messages read. The vulnerability allows an attacker to delete dashboards or messages of other users by manipulating the request, for example, by replacing the ID of the dashboard or message with the ID of another user's dashboard or message. The interface for marking read messages is also affected.

Recommendations For versions prior to 1.18.7, upgrade to version 1.18.7 to fix the vulnerability. As a temporary workaround, consider restricting access to the API endpoints related to deleting dashboards and system messages, such as "POST /api/share/removePanelShares/" until the issue is resolved. Avoid using the interface to delete dashboards and system messages until the upgrade is applied.