Advisories for Pypi/Dtale package

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-832w-fhmw-w4f4. This link is maintained to preserve external references. Original Description A vulnerability in man-group/dtale versions 3.15.1 allows an attacker to override global state settings to enable the enable_custom_filters feature, which is typically restricted to trusted environments. Once enabled, the attacker can exploit the /test-filter endpoint to execute arbitrary system commands, leading to remote code execution (RCE). …

Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.

D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\views.py, under the route @dtale.route("/chart-data/<data_id>"), the query parameters from the request are directly passed into run_query for execution. And the run_query function calls proceed without performing any processing or sanitization of the query parameter. As a result, the query is directly used in the …

Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded SECRET_KEY in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the /update-settings endpoint, even when …

D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the Load From the Web input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only …