Miggo Logo
Miggo Vulnerability Database
CVE-2024-55890

CVE-2024-55890: D-Tale allows Remote Code Execution through the Custom Filter Input

N/A

CVSS Score

Basic Information

CVE ID
CVE-2024-55890
GHSA ID
GHSA-832w-fhmw-w4f4
EPSS Score
0.62277%
CWE
CWE-79
Published
12/13/2024
Updated
12/13/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
dtalepip< 3.16.13.16.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the ability to enable custom filters through the update-settings endpoint. The patch in commit 1e26ed3 specifically adds validation to block 'enable_custom_filters' modifications in views.py. The unpatched version of update_settings() lacked this protection, allowing attackers to activate the dangerous custom filter feature remotely. The GHSA advisory and CVE description explicitly link RCE to improper access control of this flag through the update-settings endpoint.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Us*rs *ostin* *-T*l* pu*li*ly **n ** vuln*r**l* to r*mot* *o** *x**ution *llowin* *tt**k*rs to run m*li*ious *o** on t** s*rv*r. ### P*t***s Us*rs s*oul* up*r*** to v*rsion *.**.* w**r* t** `up**t*-s*ttin*s` *n*point *lo*ks t** **ility *o

Reasoning

T** vuln*r**ility st*ms *rom t** **ility to *n**l* *ustom *ilt*rs t*rou** t** up**t*-s*ttin*s *n*point. T** p*t** in *ommit ******* sp**i*i**lly ***s v*li**tion to *lo*k '*n**l*_*ustom_*ilt*rs' mo*i*i**tions in vi*ws.py. T** unp*t**** v*rsion o* up**