-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability combines two CWEs. For CWE-434: The GitHub issue #2428 demonstrates a file write via the 'id' parameter in /driver/file/upload, confirmed by the release note stating a fix for 'arbitrary file write via driver management'. The parameter is used unsafely in path construction. For CWE-89: The CVE title and GHSA explicitly mention SQLi via dataSourceId, and the release note fixes 'unauthorized SQL execution' in dataset previews. While the exact SQLi code isn't shown, the dataSourceId's role in SQL execution and lack of pre-validation in v1.11.1 strongly suggest insecure SQL concatenation. Medium confidence for the SQLi function due to indirect evidence.
JavaJava| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.dataease:dataease-plugin-common | maven | < 1.11.2 | 1.11.2 |
Ongoing coverage of React2Shell