CVE-2024-57707

CriticalPublic PoC

Published: 07 February 2025

Published

07 February 2025

Modified

28 March 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An issue in DataEase v1 allows an attacker to execute arbitrary code via the user account and password components.

Security Summary

CVE-2024-57707 is a critical code injection vulnerability (CWE-94) in DataEase version 1, enabling arbitrary code execution through the user account and password components. Assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-02-07 and affects the application's authentication mechanisms, allowing attackers to inject and execute malicious code remotely.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact access, compromising confidentiality, integrity, and availability by executing arbitrary code on the affected DataEase v1 instance, potentially leading to full server takeover.

For mitigation details, refer to the advisory at https://github.com/shigophilo/CVE/blob/main/DataEase-v1-code-execute.md.

Details

CWE(s): CWE-94

Affected Products

dataease

1.0.0

References

https://github.com/shigophilo/CVE/blob/main/DataEase-v1-code-execute.md
Broken Link, Exploit, Third Party Advisory · cve@mitre.org