Vulnerability Description
DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. The problem was fixed in the datalens-ui version `0.1449.0`. Restricting access to the API for creating or modifying charts (`/charts/api/charts/v1/`) would mitigate the issue.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/datalens-tech/datalens/security/advisories/GHSA-6278-2wvc-4p9
- https://github.com/datalens-tech/datalens/security/advisories/GHSA-6278-2wvc-4p9
FAQ
What is CVE-2024-29890?
CVE-2024-29890 is a vulnerability with a CVSS score of 8.8 (HIGH). DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that woul...
How severe is CVE-2024-29890?
CVE-2024-29890 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-29890?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.