CVE-2023-46134: 
Python vulnerability analysis and mitigation

D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly were vulnerable to remote code execution, allowing attackers to run malicious code on the server. This vulnerability was discovered on October 24, 2023 and patched in version 3.7.0 (GitHub Advisory, NVD).

The vulnerability stems from the 'Custom Filter' input feature which could be exploited to execute arbitrary code on the server. The issue has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) by NIST NVD, though GitHub rates it as MEDIUM with a score of 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (NVD).

When D-Tale is hosted publicly, attackers could exploit this vulnerability to execute arbitrary malicious code on the server, potentially leading to complete system compromise. The vulnerability affects all versions prior to 3.7.0 (GitHub Advisory).

The vulnerability has been patched in version 3.7.0 by turning off the 'Custom Filter' input by default. For users unable to upgrade, the only workaround is to restrict D-Tale access to trusted users only. Users who need the Custom Filter functionality in version 3.7.0 or later can enable it by either adding 'enablecustomfilters=True' to the dtale.show call, configuring it in the dtale.ini config file, or setting it programmatically through the global state (GitHub Advisory).