KNIME Server before 4.13.4 allows directory traversal in a request for a client profile.
7.5CVSS
7.5AI Score
0.002EPSS
8.8CVSS
5.9AI Score
0.001EPSS
KNIME Analytics Platform before 4.5.0 is vulnerable to XXE (external XML entity injection) via a crafted workflow file (.knwf), aka AP-17730.
4.7CVSS
4.5AI Score
0.002EPSS
KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content.
5.5CVSS
5.3AI Score
0.0004EPSS
In KNIME Analytics Platform below 4.6.0, the Windows installer sets improper filesystem permissions.
7.8CVSS
7.6AI Score
0.0004EPSS
A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Server since 4.3.0 can result in arbitrary files being overwritten on the server's file system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being uploaded, can ...
7.5CVSS
7.9AI Score
0.005EPSS
A directory traversal vulnerability in the ZIP archive extraction routines of KNIME Analytics Platform 3.2.0 and above can result in arbitrary files being overwritten on the user's system. This vulnerability is also known as 'Zip-Slip'. An attacker can create a KNIME workflow that, when being opene...
7CVSS
7.4AI Score
0.002EPSS
The Web Frontend of KNIME Business Hub before 1.4.0 allows an unauthenticated remote attacker to access internals about the application such as versions, host names, or IP addresses. No personal information or application data was exposed.
5.3CVSS
5.3AI Score
0.002EPSS
Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNIMEBusiness Hub before 1.4.0 has left users vulnerable to clickjacking. Clickjacking is an attack that occurs when an attacker uses atransparent iframe in a window to trick a user into clicking on anactionable item, such as a butt...
4.3CVSS
4.6AI Score
0.0005EPSS
An unsafe default configuration in KNIME Analytics Platform before 5.2.0 allows for a cross-site scripting attack. When KNIME Analytics Platform is used as an executor for either KNIME Server or KNIME Business Hub several JavaScript-based view nodes do not sanitize the data that is displayed by def...
6.1CVSS
6AI Score
0.001EPSS