Dataease: Unfiltered active SVG content leads to Stored XSS

Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload interface allows SVG uploads. However, backend validation only checks whether the XML is parseable and whether the root node is svg. It does not sanitize active content such as onload/onerror event handlers or script-capable attributes. As a result, an attacker can upload a malicious SVG and then trigger script execution in a browser by visiting the exposed static resource URL, forming a full stored XSS exploitation chain. This vulnerability is fixed in 2.10.20.

N/A

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

DataEase 跨站脚本漏洞

DataEase是DataEase开源的一个开源的数据可视化分析工具。用于帮助用户快速分析数据并洞察业务趋势，从而实现业务的改进与优化。 Dataease 2.10.19及之前版本存在跨站脚本漏洞，该漏洞源于静态资源上传接口对SVG文件验证不足，可能导致攻击者上传恶意SVG并触发存储型跨站脚本攻击。

N/A

N/A