An issue in DataEase v1 allows an attacker to execute arbitrary code via the user account and password components.
The vulnerability classified as CWE-94 (Code Injection) indicates insufficient validation of input data in components handling user account and password. An attacker can supply specially crafted input data that will be interpreted and executed by the application as code. The attack does not require authentication, user interaction, or specific network conditions (network vector, low complexity).
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the server hosting DataEase, which may lead to complete system takeover, data breach, modification or destruction of resources.
Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict access to the DataEase interface only to trusted networks (firewall, VPN) until the update is deployed.
DataEase version 1 (v1) — specific versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDataease
APPDataease1.0.0
Related vulnerabilities
Dataease: RCE poprzez path traversal w parametrze IniFile sterownika JDBC
SQL Injection w Dataease — niekontrolowany parametr tabeli w podglądzie danych
DataEase – obejście uwierzytelnienia przez path traversal w TokenFilter
DataEase: hardkodowany sekret JWT umożliwia przejęcie usługi
DataEase: brak weryfikacji podpisu JWT umożliwia dostęp do dowolnego interfejsu