Volerion logoVolerion
Volerion logoVolerion

DataEase SQL Injection Vulnerability in Dataset Data Interface

Vulnerability

A SQL injection vulnerability has been identified in DataEase versions 2.10.13 and earlier. The issue arises in the '/de2api/datasetData/tableField' interface, where an attacker can manipulate the 'tableName' parameter to execute arbitrary SQL commands. This vulnerability has been patched in version 2.10.14.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, create an Elastic Search server and insert some data. Then, import the corresponding Elastic Search data source and dataset into DataEase. After that, access the '/de2api/datasetData/tableField' interface and provide a crafted 'tableName' parameter that includes malicious SQL payloads. The server will execute the injected SQL commands, demonstrating the SQL injection vulnerability.

Remediation

Users are advised to upgrade to DataEase version 2.10.14, where this vulnerability has been fixed.

Added: Oct 17, 2025, 6:19 PM
Updated: Oct 17, 2025, 6:19 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
5.0
exploitability
4.6
remediation
7.7
relevance
0.7
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.