Vantara Pentaho Security Vulnerabilities and Issues — Vantara Pentaho CVE List

Lucene search

HitachiVantara Pentaho

16 matches found

CVE•added 2021/01/29 7:15 p.m.•127 views

CVE-2020-24670

The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'type' attribute of 'dashboardXml' parameter. Remed...

5.4CVSS5.7AI score0.00209EPSS

CVE•added 2021/11/08 4:15 a.m.•99 views

CVE-2021-31602

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. The Security Model has different layers of Access Control. One of these layers is the applicationContext security, which is defined in the applicationContext-spring-security.xml file...

7.5CVSS7.5AI score0.93108EPSS

CVE•added 2023/05/24 10:15 p.m.•61 views

CVE-2022-4815

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x deserialize untrusted JSON data without constraining the parser to approved classes and methods.

8.8CVSS8.3AI score0.00509EPSS

CVE•added 2023/05/24 10:15 p.m.•59 views

CVE-2023-1158

Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.

4.3CVSS4.6AI score0.00166EPSS

CVE•added 2021/01/29 7:15 p.m.•58 views

CVE-2020-24669

The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Analysis Report Description' field in 'About th...

5.4CVSS5.7AI score0.00209EPSS

CVE•added 2021/11/08 4:15 a.m.•58 views

CVE-2021-34685

UploadService in Hitachi Vantara Pentaho Business Analytics through 9.1 does not properly verify uploaded user files, which allows an authenticated user to upload various files of different file types. Specifically, a .jsp file is not allowed, but a .jsp. file is allowed (and leads to remote code e...

7.2CVSS7.3AI score0.0197EPSS

CVE•added 2021/01/29 7:15 p.m.•56 views

CVE-2020-24666

The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Display Name' parameter. Remediated in >= 9.1.0.1

5.4CVSS5.6AI score0.00209EPSS

CVE•added 2021/01/29 7:15 p.m.•55 views

CVE-2020-24665

The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains an XML Entity Expansion injection vulnerability, which allows an authenticated remote users to trigger a denial of service (DoS) condition. Specifically, the vulnerability lies in the 'dashboardXml' parameter. Remediated in ...

6.5CVSS6.4AI score0.00671EPSS

CVE•added 2021/11/08 4:15 a.m.•54 views

CVE-2021-34684

Hitachi Vantara Pentaho Business Analytics through 9.1 allows an unauthenticated user to execute arbitrary SQL queries on any Pentaho data source and thus retrieve data from the related databases, as demonstrated by an api/repos/dashboards/editor URI.

9.8CVSS9.9AI score0.3624EPSS

CVE•added 2021/01/29 7:15 p.m.•50 views

CVE-2020-24664

The dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'pho:title' attribute of 'dashboardXml' parameter. ...

5.4CVSS5.7AI score0.00209EPSS

CVE•added 2021/11/08 4:15 a.m.•49 views

CVE-2021-31599

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code.

8.8CVSS8.6AI score0.00886EPSS

CVE•added 2022/11/02 3:15 p.m.•46 views

CVE-2021-45446

A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and8.3.0.25 does not cascade the hidden property to the children of the Home folder. This directory listing provides an attacker with the complete index of all the resources locatedinside the directory.

7.5CVSS6.1AI score0.00167EPSS

CVE•added 2021/11/08 4:15 a.m.•42 views

CVE-2021-31601

An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. They implement a series of web services using the SOAP protocol to allow scripting interaction with the backend server. An authenticated user (regardless of privileges) can list all ...

7.1CVSS6.4AI score0.00948EPSS

CVE•added 2022/11/02 3:15 p.m.•42 views

CVE-2021-45447

Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text. The transmission of sensitive data in clear text allows unauthorized actors with access to thenetwork to sniff and obtain ...

7.7CVSS7.5AI score0.00111EPSS

CVE•added 2022/11/02 4:15 p.m.•38 views

CVE-2021-45448

Pentaho Business AnalyticsServer versions before 9.2.0.2 and 8.3.0.25 using the PentahoAnalyzer plugin exposes a service endpoint for templates which allows auser-supplied path to access resources that are out of bounds. The software uses external input to construct a pathname that is intended to i...

7.1CVSS6.6AI score0.00245EPSS

CVE•added 2021/11/08 4:15 a.m.•32 views

CVE-2021-31600

4.3CVSS4.7AI score0.00216EPSS