423 matches found
CVE-2025-0757
Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-79 Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and...
CVE-2025-0756
Overview The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. CWE-99 Description Hitachi Vantara Pentaho Data Integration & Analytics...
CVE-2025-24911
Overview XML documents optionally contain a Document Type Definition DTD, which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the...
CVE-2025-24907
Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' doubled triple dot slash sequences that can resolve to a location that is outside of that directory. CWE-35 Description Hitachi...
CVE-2025-24910
Overview XML documents optionally contain a Document Type Definition DTD, which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the...
CVE-2025-24909
Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-79 Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x...
CVE-2025-0756
Overview The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. CWE-99 Description Hitachi Vantara Pentaho Data Integration &...
CVE-2025-0758
Overview The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. CWE-732 Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x and 8.3.x, is installed...
CVE-2025-0757
Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-79 Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x...
CVE-2025-24907 Hitachi Vantara Pentaho Data Integration & Analytics – Path Traversal
Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' doubled triple dot slash sequences that can resolve to a location that is outside of that directory. CWE-35 Description Hitachi...
CVE-2025-24907 Hitachi Vantara Pentaho Data Integration & Analytics – Path Traversal
Overview The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' doubled triple dot slash sequences that can resolve to a location that is outside of that directory. CWE-35 Description Hitachi...
CVE-2025-24907
CVE-2025-24907 concerns Hitachi Vantara Pentaho Data Integration & Analytics. Affected versions are before 10.2.0.2, including 9.3.x and 8.3.x. The issue arises because user input used as a file path through the CGG Draw API is not properly neutralized, allowing doubled triple-dot sequences ('......
CVE-2025-24911 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference
Overview XML documents optionally contain a Document Type Definition DTD, which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the...
CVE-2025-24911
Hitachi Vantara Pentaho Business Analytics Server prior to version 10.2.0.2 (including 9.3.x and 8.3.x) is vulnerable to an XML External Entity (XXE) exposure in the XMLParserFactoryProducer. The flaw can allow an attacker to read local files via a file:// URI defined as an external entity, and c...
CVE-2025-24911 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference
Overview XML documents optionally contain a Document Type Definition DTD, which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the...
CVE-2025-24910
Hitachi Vantara Pentaho Business Analytics Server prior to 10.2.0.2 (including 9.3.x and 8.3.x) is affected by an XML External Entity (XXE) vulnerability in MessageSourceCrawler. The issue allows an attacker to cause the application to read local files via a file:// entity, and can also trigger o...
CVE-2025-24910 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference
Overview XML documents optionally contain a Document Type Definition DTD, which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the...
CVE-2025-24910 Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference
Overview XML documents optionally contain a Document Type Definition DTD, which, among other features, enables the definition of XML entities. It is possible to define an entity by providing a substitution string in the form of a URI. Once the content of the URI is read, it is fed back into the...
CVE-2025-24909
The CVE-2025-24909 issue affects Hitachi Vantara Pentaho Business Analytics Server prior to 10.2.0.2, including 9.3.x and 8.3.x. It arises from improper neutralization of user input in the Analyzer plugin interface, allowing a malicious URL to inject content into a web page served to other users ...
CVE-2025-24909 Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Overview The software does not neutralize or incorrectly neutralize user-controllable input before it is placed in output that is used as a web page that is served to other users. CWE-79 Description Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.2.0.2, including 9.3.x...