CVE-2025-62421

Name of the Vulnerable Software and Affected Versions DataEase versions through 2.10.13

Description DataEase is a data visualization and analytics platform. A stored cross-site scripting issue exists because of inadequate file upload validation and authentication bypass. The upload/{fileId} route within the StaticResourceApi interface allows users to control the filename and extension of uploaded files. The WhitelistUtils#match method incorrectly deems URLs ending with extensions like .js as safe, bypassing permission checks. This enables attackers to upload HTML files containing malicious JavaScript by specifying arbitrary file extensions, such as accessing "upload/1.js". The TokenFilter is involved in the permission validation process.

Recommendations Update to version 2.10.14 or later.