Stored Cross-Site Scripting in Hitachi Vantara Pentaho
CVE-2020-24666

5.4MEDIUM

Key Information:

Vendor: Hitachi
Status: Vantara Pentaho
Vendor: CVE Published:; 29 January 2021

Summary

The Analysis Report feature in Hitachi Vantara Pentaho versions 7.x to 8.x is susceptible to a stored cross-site scripting vulnerability. This flaw allows authenticated remote users to inject and execute arbitrary JavaScript code through the 'Display Name' parameter. Attackers leveraging this vulnerability could potentially manipulate user sessions, steal sensitive information, and conduct phishing attacks. The issue has been addressed and remediated in versions 9.1.0.1 and onwards, emphasizing the importance of updating to secure systems against such risks.

References

https://www.accenture.com

x_refsource_MISC

http://www.hitachi.com/hirt/hitachi-sec/2020/601.html

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 29, 2021
Vulnerability Reserved
Aug 26, 2020