21 matches found
CVE-2019-13188
CVE-2019-13188 affects Knowage up to version 6.1.1, where an unauthenticated user can bypass access controls and gain access to the entire application. The connected sources consistently describe an access-control bypass vulnerability enabling full visibility/interaction with the Knowage applicat...
CVE-2021-30213
Knowage Suite 7.3 contains an unauthenticated reflected cross-site scripting (XSS) vulnerability. An attacker can inject arbitrary web script via the targetService parameter in the /servlet/AdapterHTTP endpoint. Impact, as described, could allow malicious scripts to run in the victim’s browser, p...
CVE-2019-13190
Knowage up to version 6.1.1 contains a CAPTCHA bypass vulnerability where the signup page does not invalidate a valid CAPTCHA token, enabling bypass of CAPTCHA on registration. This affects the sign-up functionality and stems from the CAPTCHA token validation flaw described across multiple source...
CVE-2021-30211
CVE-2021-30211 affects Knowage Suite 7.3. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw in the REST endpoint /knowage/restful-services/signup/update, exploitable via the surname parameter. The issue allows an attacker to inject arbitrary web scripts, potentially executed in victim...
CVE-2022-39295
CVE-2022-39295 affects Knowage-Server (KnowageLabs) 6.x and earlier, with vulnerable versions prior to 7.4.22, 8.0.9, and 8.1.0. The issue is a cross-site scripting vulnerability where the XSSRequestWrapper.stripXSS method can be bypassed. Patches are available in 7.4.22, 8.0.9, and 8.1.0. No pub...
CVE-2021-30212
CVE-2021-30212 affects Knowage Suite 7.3 and is a Stored Cross-Site Scripting (XSS) vulnerability. The exposed component is the RESTful service at /knowage/restful-services/documentnotes/saveNote, where an attacker can inject arbitrary web scripts via the nota parameter. The CVE details in the co...
CVE-2021-30214
Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection at /knowage/restful-services/signup/update through the name parameter. Root cause: the system stores client templates via the name parameter, enabling injection. Impact per sources is limited to client-side template manipula...
CVE-2023-38702
Knowage (open source analytics BI suite) prior to 8.1.8 is affected by CVE-2023-38702. An unauthenticated user can reach the endpoint /knowage/restful-services/dossier/importTemplateFile and upload a template file to the knowageqbeengine directory. Uploading a JSP file to that directory enables c...
CVE-2023-37472
Knowage exposes a CVE-2023-37472 SQL injection vulnerability in prior to 8.1.8. The issue arises when user-supplied data is used to build HQL queries, allowing crafted queries to affect subsequent SQL executed by Hibernate, specifically via the endpoint /knowage/restful-services/2.0/documents/lis...
CVE-2019-13348
CVE-2019-13348 affects Knowage up to 6.1.1: an authenticated user who visits the datasources page can access data source credentials in cleartext (including database credentials). Multiple connected sources corroborate this vulnerability (NVD entry, Red Hat advisory, CNVD, OSV, CVE listings). Roo...
CVE-2021-30056
CVE-2021-30056 affects Knowage Suite prior to 7.4, where a reflected XSS vulnerability exists in the /restful-services/publish endpoint via the EXEC_FROM parameter, potentially leading to data leakage. The issue is documented across multiple feeds (NVD/Red Hat/CNVD/etc.). Mitigation is to upgrade...
CVE-2018-12355
CVE-2018-12355 affects Knowage (formerly SpagoBI) 6.1.1 with a cross-site scripting vulnerability in the Olap Schemas’ Catalogue exposed via the name or description fields. Multiple sources corroborate an XSS in Knowage 6.1.1; the vulnerability enables injection of arbitrary scripts through the s...
CVE-2021-30058
CVE-2021-30058 affects Knowage Suite prior to 7.4. The vulnerability is a cross-site scripting (XSS) flaw that allows an attacker to inject arbitrary external scripts via the SBI_HOST parameter in the request to /knowagecockpitengine/api/1.0/pages/execute. Impact is described as enabling injectio...
CVE-2021-30057
CVE-2021-30057 is a stored HTML injection vulnerability in Knowage Suite (v7.1). An attacker can inject arbitrary HTML into the endpoint /restful-services/2.0/analyticalDrivers by manipulating the LABEL and NAME parameters. Public references in multiple feeds corroborate a vulnerability in Knowag...
CVE-2023-36819
Knowage Server suffers a path-traversal vulnerability in the download template endpoint (/knowage/restful-services/dossier/importTemplateFile_) for 6.x.x up to 8.1.7, where the templateName parameter is not sanitized, allowing crafting of ../ to escape the template directory and read arbitrary fi...
CVE-2019-13189
Knowage up to version 6.1.1 is vulnerable to a Cross-Site Scripting (XSS) flaw that can be triggered via the start_url or user_id parameter targeting the ChangePwdServlet. The issue stems from insufficient validation of client-side data, enabling an attacker to inject and execute script in the us...
CVE-2021-30055
CVE-2021-30055 is a SQL injection vulnerability in Knowage Suite 7.1, affecting the documentexecution/url analytics driver via the par_year parameter when generating a report. Root cause: improper handling of input in the URL analytics driver leading to SQL commands being injected. Impact: potent...
CVE-2023-35154
CVE-2023-35154 is a Knowage-Server vulnerability: from Knowage 6.0.0 up to 8.1.7, an attacker can register and activate an account without clicking the email link, effectively gaining access as a normal user. Root cause is an account‑validation bypass in the authentication/registration flow. The ...
CVE-2025-55007
Knowage (open source analytics/BI) prior to version 8.1.37 is affected by a server-side request forgery vulnerability that lets an attacker issue requests to arbitrary hosts/paths. The attacker cannot read the response, which limits impact, but the issue could be used to scan internal networks. T...
CVE-2025-59954
CVE-2025-59954 affects Knowage: versions 8.1.26 and earlier are vulnerable to remote code execution due to an unsafe org.apache.commons.jxpath.JXPathContext usage in MetaService.java. The issue enables a hostile actor to execute code remotely, with impact described as high on confidentiality, int...
CVE-2025-58441
Knowage (open source analytics/BI suite) prior to version 8.1.37 is affected by a blind server-side request forgery (SSRF). The issue allows an attacker to send requests to arbitrary hosts/paths, but cannot read responses, limiting direct impact. However, it could be used to scan internal network...