CVE-2024-9016 Information

Description

man-group dtale version <= 3.13.1 contains a vulnerability where the query parameters from the request are directly passed into the run_query function without proper sanitization. This allows for unauthenticated remote command execution via the df.query method when the query engine is set to ‘python’.

Reference

https://huntr.com/bounties/8b84de4f-e4c6-44f7-b985-d548b07ccf89