CVSS: 6.1EPSS: 3%CPEs: 1EXPL: 1CVE-2021-30213
https://notcve.org/view.php?id=CVE-2021-30213
12 May 2021 — Knowage Suite 7.3 is vulnerable to unauthenticated reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in '/servlet/AdapterHTTP' via the 'targetService' parameter. Knowage Suite versión 7.3, es vulnerable a un ataque de tipo cross-site scripting (XSS) reflejado no autenticado. Un atacante puede inyectar un script web arbitrario en "/servlet/AdapterHTTP" por medio del parámetro "targetService" • https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/XSS-KnowageSuite7-3_unauth.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30214
https://notcve.org/view.php?id=CVE-2021-30214
12 May 2021 — Knowage Suite 7.3 is vulnerable to Stored Client-Side Template Injection in '/knowage/restful-services/signup/update' via the 'name' parameter. Knowage Suite versión 7.3, es vulnerable a una Inyección de Plantillas del Lado del Cliente Almacenadas en "/knowage/restful-services/signup/update" por medio del parámetro "name" • https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/CSTI-KnowageSuite7-3.md • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30212
https://notcve.org/view.php?id=CVE-2021-30212
12 May 2021 — Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/documentnotes/saveNote' via the 'nota' parameter. Knowage Suite versión 7.3, es vulnerable a un ataque de tipo Cross-Site Scripting (XSS) almacenado. Un atacante puede inyectar un script web arbitrario en "/knowage/restful-services/documentnotes/saveNote" por medio del parámetro "nota" • https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/Stored-XSS-KnowageSuite7-3-notes.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-30211
https://notcve.org/view.php?id=CVE-2021-30211
12 May 2021 — Knowage Suite 7.3 is vulnerable to Stored Cross-Site Scripting (XSS). An attacker can inject arbitrary web script in '/knowage/restful-services/signup/update' via the 'surname' parameter. Knowage Suite versión 7.3, es vulnerable a un ataque de tipo Cross-Site Scripting (XSS) almacenado. Un atacante puede inyectar un script web arbitrario en "/knowage/restful-services/signup/update" por medio del parámetro "surname" • https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/Stored-XSS-KnowageSuite7-3-surname.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30055
https://notcve.org/view.php?id=CVE-2021-30055
05 Apr 2021 — A SQL injection vulnerability in Knowage Suite version 7.1 exists in the documentexecution/url analytics driver component via the 'par_year' parameter when running a report. Se presenta una vulnerabilidad de inyección SQL en Knowage Suite versión 7.1, en el componente controlador de análisis documentexecution/url por medio del parámetro "par_year" cuando se ejecuta un reporte • https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/SQLi-KnowageSuite.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30056
https://notcve.org/view.php?id=CVE-2021-30056
05 Apr 2021 — Knowage Suite before 7.4 is vulnerable to reflected cross-site scripting (XSS). An attacker can inject arbitrary web script in /restful-services/publish via the 'EXEC_FROM' parameter that can lead to data leakage. Knowage Suite versiones anteriores a 7.4, es vulnerable a un ataque de tipo cross-site scripting (XSS) reflejado. Un atacante puede inyectar un script web arbitrario en /restful-services/publish por medio del parámetro "EXEC_FROM" que puede conllevar a una filtración de datos • https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/XSS-KnowageSuite.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30057
https://notcve.org/view.php?id=CVE-2021-30057
05 Apr 2021 — A stored HTML injection vulnerability exists in Knowage Suite version 7.1. An attacker can inject arbitrary HTML in "/restful-services/2.0/analyticalDrivers" via the 'LABEL' and 'NAME' parameters. Se presenta una vulnerabilidad de inyección HTML almacenado en Knowage Suite versión 7.1. Un atacante puede inyectar HTML arbitrario en "/restful-services/2.0/analyticalDrivers" por medio de los parámetros "LABEL" y "NAME" • https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/HTLM-Injection-KnowageSuite.md • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-30058
https://notcve.org/view.php?id=CVE-2021-30058
05 Apr 2021 — Knowage Suite before 7.4 is vulnerable to cross-site scripting (XSS). An attacker can inject arbitrary external script in '/knowagecockpitengine/api/1.0/pages/execute' via the 'SBI_HOST' parameter. Knowage Suite versiones anteriores a 7.4, es vulnerable a un ataque de tipo cross-site scripting (XSS). Un atacante puede inyectar un script externo arbitrario en "/knowagecockpitengine/api/1.0/pages/execute" por medio del parámetro "SBI_HOST" • https://github.com/piuppi/Proof-of-Concepts/blob/main/Engineering/XSSI-KnowageSuite.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 3%CPEs: 1EXPL: 1CVE-2019-13188
https://notcve.org/view.php?id=CVE-2019-13188
05 Sep 2019 — In Knowage through 6.1.1, an unauthenticated user can bypass access controls and access the entire application. En Knowage hasta la versión 6.1.1, un usuario no autenticado puede omitir los controles de acceso y acceder a toda la aplicación. • https://blog.contentsecurity.com.au/knowage-access-control-bypass • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-13190
https://notcve.org/view.php?id=CVE-2019-13190
05 Sep 2019 — In Knowage through 6.1.1, the sign up page does not invalidate a valid CAPTCHA token. This allows for CAPTCHA bypass in the signup page. En Knowage hasta la versión 6.1.1, la página de registro no invalida un token CAPTCHA válido. Esto permite la omisión de CAPTCHA en la página de registro. • https://blog.contentsecurity.com.au/knowage-captcha-bypass • CWE-287: Improper Authentication •