Impact
DataEase versions before 2.10.24 render dashboard text components with Vue's v-html attribute without server‑side sanitization. An attacker who is authenticated and has permission to edit a dashboard component can inject HTML with executable event handlers. When another user opens the dashboard or accesses a shared link, the malicious script runs in that user’s browser, potentially stealing session cookies, hijacking the session, or executing additional harmful actions. This is a stored XSS vulnerability identified as CWE‑79.
Affected Systems
DataEase, the open source data visualization and analysis platform, is affected in all releases older than 2.10.24. No other vendors or product versions are listed as impacted.
Risk and Exploitability
The CVSS score of 5.1 indicates a moderate severity. No EPSS score is available, so the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker has the ability to edit dashboard content; once the XSS payload is stored, any visitor to the dashboard—including those accessing a shared link—will be exposed. This limitation reduces the attack surface, but because the payload executes automatically in the victim’s browser, it can still lead to significant compromise of confidentiality and integrity for those users.
OpenCVE Enrichment