CVE-2023-32310: 
Java vulnerability analysis and mitigation

DataEase, an open source data visualization and analysis tool, was found to contain an Insecure Direct Object References (IDOR) vulnerability (CVE-2023-32310) affecting versions up to 1.18.6. The vulnerability was discovered in the API interface for deleting dashboards and system messages, which was disclosed on June 1, 2023 (GitHub Advisory).

The vulnerability exists in the API interface that handles dashboard deletion and system message management. When a user attempts to delete their dashboard or messages, the request contains a direct reference to the resource ID. Due to improper access controls, an attacker could manipulate these IDs to delete dashboards or messages belonging to other users. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) (NVD).

The vulnerability allows authenticated users to delete other users' dashboards and system messages without proper authorization. Additionally, attackers can interfere with the interface for marking messages as read, potentially disrupting normal system operations and compromising data integrity (GitHub Advisory).

The vulnerability has been fixed in version 1.18.7 of DataEase. Users are strongly recommended to upgrade to this version as there are no known workarounds for earlier versions (GitHub Release).