Description
DataEase is an open source data visualization and analytics platform. In versions 2.10.13 and earlier, the /de2api/datasetData/tableField interface is vulnerable to SQL injection. An attacker can construct a malicious tableName parameter to execute arbitrary SQL commands. This issue is fixed in version 2.10.14. No known workarounds exist.
Problem types
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Product status
References
github.com/...taease/security/advisories/GHSA-54m5-xrw4-mv36
github.com/...ommit/3c52cc26c4cca1000294346cf99a84b25d38bfb2
