Impact
Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.
Patches
Users should upgrade to version 3.16.1 where the update-settings endpoint blocks the ability for users to update the enable_custom_filters flag. You can find out more information on how to turn that flag on here
Workarounds
The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
References
See "Custom Filter" documentation
TaiPhung217 Finder
Impact
Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.
Patches
Users should upgrade to version 3.16.1 where the
update-settingsendpoint blocks the ability for users to update theenable_custom_filtersflag. You can find out more information on how to turn that flag on hereWorkarounds
The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
References
See "Custom Filter" documentation