CVE-2025-62419

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE...

CVE-2025-62421

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/fileId that uses a URL path...

CVE-2025-62422

DataEase is an open source data visualization and analytics platform. In versions 2.10.13 and earlier, the /de2api/datasetData/tableField interface is vulnerable to SQL injection. An attacker can construct a malicious tableName parameter to execute arbitrary SQL commands. This issue is fixed in...

CVE-2025-62420

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual...

CVE-2025-62419

DataEase (DataEase platform) prior to v2.10.14 contains a JDBC URL injection in the DB2 data source handler: when extraParams is empty, HOSTNAME, PORT, and DATABASE are concatenated into the JDBC URL without filtering, allowing an attacker to inject a malicious JDBC string via HOSTNAME to bypass ...

CVE-2025-62419 DataEase vulnerable to JDBC URL injection in DB2 and MongoDB data source configuration

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE...

CVE-2025-62419 DataEase vulnerable to JDBC URL injection in DB2 and MongoDB data source configuration

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE...

CVE-2025-62419 DataEase vulnerable to JDBC URL injection in DB2 and MongoDB data source configuration

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE...

EUVD-2025-34918

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual...

CVE-2025-62420 DataEase vulnerable to remote code execution via H2 JDBC driver bypass

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual...

CVE-2025-62420 DataEase vulnerable to remote code execution via H2 JDBC driver bypass

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual...

CVE-2025-62420

Summary: DataEase (versions up to 2.10.13) contains a JDBC driver bypass vulnerability in the H2 database connection handler. The getJdbc function in H2.java uses the jdbcUrl starting with jdbc:h2 but returns a separate jdbc field as the actual connection URL, allowing an authenticated attacker t...

CVE-2025-62420 DataEase vulnerable to remote code execution via H2 JDBC driver bypass

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual...

CVE-2025-62421

DataEase CVE-2025-62421 affects DataEase 2.10.13 and earlier. A stored Cross-Site Scripting vulnerability arises from improper file upload validation and authentication bypass, where the StaticResourceApi route upload/{fileId} allows user-controlled filename/extension. During permission checks, a...

EUVD-2025-34916

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/fileId that uses a URL path...

CVE-2025-62421 DataEase vulnerable to stored cross-site scripting via file upload bypass

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/fileId that uses a URL path...

CVE-2025-62421 DataEase vulnerable to stored cross-site scripting via file upload bypass

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/fileId that uses a URL path...

CVE-2025-62421 DataEase vulnerable to stored cross-site scripting via file upload bypass

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a stored cross-site scripting vulnerability exists due to improper file upload validation and authentication bypass. The StaticResourceApi interface defines a route upload/fileId that uses a URL path...

CVE-2025-62422

DataEase (open source data visualization/analytics platform) contains a SQL injection vulnerability in the /de2api/datasetData/tableField interface for versions up to 2.10.13. An attacker can craft a malicious tableName parameter to execute arbitrary SQL commands. The issue is fixed in version 2....

CVE-2025-62422 DataEase SQL injection vulnerability

DataEase is an open source data visualization and analytics platform. In versions 2.10.13 and earlier, the /de2api/datasetData/tableField interface is vulnerable to SQL injection. An attacker can construct a malicious tableName parameter to execute arbitrary SQL commands. This issue is fixed in...