Skip to content

Remote Code Execution through the Custom Filter Input using update-settings endpoint to turn on custom filters

Moderate
aschonfeld published GHSA-832w-fhmw-w4f4 Dec 13, 2024

Package

pip dtale (pip)

Affected versions

< 3.16.1

Patched versions

3.16.1

Description

Impact

Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.

Patches

Users should upgrade to version 3.16.1 where the update-settings endpoint blocks the ability for users to update the enable_custom_filters flag. You can find out more information on how to turn that flag on here

Workarounds

The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.

References

See "Custom Filter" documentation

Severity

Moderate

CVE ID

CVE-2024-55890

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Credits