PT-2024-36605 · D-Tale · D-Tale
Taiphung217
·
Published
2024-12-13
·
Updated
2024-12-13
·
CVE-2024-55890
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
D-Tale versions prior to 3.16.1
Description
D-Tale is a visualizer for pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. The
update-settings endpoint is involved, specifically the ability for users to update the enable custom filters flag.Recommendations
For versions prior to 3.16.1, the only workaround is to host D-Tale only to trusted users.
For all affected versions, users should upgrade to version 3.16.1, where the
update-settings endpoint blocks the ability for users to update the enable custom filters flag.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
D-Tale