Cross-site Scripting Vulnerability in Hitachi Vantara Pentaho Business Analytics Server
CVE-2024-37360

4.4MEDIUM

Key Information:

Vendor: Hitachi
Status: Pentaho Data Integration & Analytics; Pentaho Business Analytics Server
Vendor: CVE Published:; 19 February 2025

Summary

The Hitachi Vantara Pentaho Business Analytics Server is vulnerable to Cross-site Scripting due to improper sanitization of user-controlled input. This vulnerability allows attackers to inject malicious scripts into the Analyzer plugin interface, potentially leading to the theft of sensitive information, such as session cookies, and the ability to perform actions on behalf of the victim. It is crucial for users of versions prior to 10.2.0.0 and 9.3.0.9, including 8.3.x, to apply security updates to mitigate risks associated with this vulnerability.

Affected Version(s)

Pentaho Business Analytics Server 1.0 < 9.3.0.9

Pentaho Data Integration & Analytics 10.0 < 10.2.0.0

References

https://support.pentaho.com/hc/en-us/articles/34298351866...

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 19, 2025