Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) dtale is a Web Client for Visualizing Pandas Objects Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the `update-settings` endpoint, allowing an attacker to use `enable_custom_filters` to specify custom filters will be used for exploitation of this vulnerability. Note: This is only exploitable if D-Tale is hosted publicly without restricting access to trusted users. How to fix Cross-site Scripting (XSS)? Upgrade `dtale` to version 3.16.1 or higher.	[,3.16.1)
M Remote Code Execution (RCE)	[,3.14.1)
M Remote Code Execution (RCE) dtale is a Web Client for Visualizing Pandas Objects Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the `run_query` function due to improper sanitization of the `query` parameter. An attacker can execute arbitrary code on the server by sending malicious input. Note: This is only exploitable if "Custom Filter" input is turned on, which is the default option. CVE-2024-8862 is a duplicate of this vulnerability. How to fix Remote Code Execution (RCE)? Upgrade `dtale` to version 3.14.1 or higher.	[,3.14.1)

Go back to all versions of this package