References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Change History

https://github.com/datalens-tech/datalens/security/advisories/GHSA-6278-2wvc-4p93

DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. The problem was fixed in the datalens-ui version `0.1449.0`. Restricting access to the API for creating or modifying charts (`/charts/api/charts/v1/`) would mitigate the issue.

GitHub, Inc. AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

GitHub, Inc. CWE-79

GitHub, Inc. https://github.com/datalens-tech/datalens/security/advisories/GHSA-6278-2wvc-4p93 [No types assigned]