CVE-2025-49002

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-49002

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

D

ataEase is an open source business intelligence and data visualization tool. Versions prior to version 2.10.10 have a flaw in the patch for CVE-2025-32966 that allow the patch to be bypassed through case insensitivity because INIT and RUNSCRIPT are prohibited. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

References
Link Resource
https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34 Exploit Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 Exploit Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
History

05 Jun 2025, 14:07

Type Values Removed Values Added
References () https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34 - () https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34 - Exploit, Third Party Advisory
References () https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 - () https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 - Exploit, Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CWE NVD-CWE-Other
CPE cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
First Time Dataease dataease
Dataease

04 Jun 2025, 14:15

Type Values Removed Values Added
Summary
  • (es) DataEase es una herramienta de código abierto para inteligencia empresarial y visualización de datos. Las versiones anteriores a la 2.10.10 presentan una vulnerabilidad en el parche para CVE-2025-32966 que permite omitir el parche mediante la insensibilidad a mayúsculas y minúsculas, ya que INIT y RUNSCRIPT están prohibidos. Esta vulnerabilidad se ha corregido en la versión 2.10.10. No se conocen workarounds.
References () https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 - () https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-4j78-cvc7 -

03 Jun 2025, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-03 21:15

Updated : 2025-06-05 14:07

NVD link : CVE-2025-49002

Mitre link : CVE-2025-49002

CVE.ORG link : CVE-2025-49002

JSON object : View

Products Affected

dataease

CWE
CWE-290

Authentication Bypass by Spoofing

NVD-CWE-Other