CVE-2023-40183

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 1.18.11

Description DataEase is an open source data visualization and analysis tool. The program only uses the ImageIO.read() method to determine whether the file is an image file or not. There is no whitelisting restriction on file suffixes. This allows the attacker to synthesize the attack code into an image for uploading and change the file extension to html. The attacker may steal user cookies by accessing links.

Recommendations For versions prior to 1.18.11, update to version 1.18.11 to resolve the issue. As a temporary workaround, consider restricting file uploads to only image files with approved extensions until the update is applied. Avoid using the ImageIO.read() method without additional validation on file types.