CVE-2023-46134
Published: 25 October 2023
Summary
CVE-2023-46134 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Man D-Tale. Its CVSS base score is 6.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Data Processing Libraries; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), Exfiltration via AI Inference API (AML.T0024), External Harms (AML.T0048).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2766
Vulnerability details
D-Tale is the combination of a Flask back-end and a React front-end to view & analyze Pandas data structures. Prior to version 3.7.0, users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code…
more
on the server. This issue has been patched in version 3.7.0 by turning off "Custom Filter" input by default. The only workaround for versions earlier than 3.7.0 is to only host D-Tale to trusted users.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Data Processing Libraries
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- D-Tale is a tool for viewing and analyzing Pandas data structures, where Pandas is a core data processing library commonly used in AI/ML data workflows.
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2023-46134 enables remote code execution on publicly hosted D-Tale servers via unsafe 'Custom Filter' input, directly facilitating exploitation of public-facing applications.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.