CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-31599 – Pentaho Business Analytics / Pentaho Business Server 9.1 Remote Code Execution
https://notcve.org/view.php?id=CVE-2021-31599
An issue was discovered in Hitachi Vantara Pentaho through 9.1 and Pentaho Business Intelligence Server through 7.x. A reports (.prpt) file allows the inclusion of BeanShell scripts to ease the production of complex reports. An authenticated user can run arbitrary code. Se ha detectado un problema en Hitachi Vantara Pentaho versiones hasta 9.1 y en Pentaho Business Intelligence Server versiones hasta 7.x. Un archivo de informes (.prpt) permite una inclusión de scripts BeanShell para facilitar la producción de informes complejos. • http://packetstormsecurity.com/files/164772/Pentaho-Business-Analytics-Pentaho-Business-Server-9.1-Remote-Code-Execution.html https://www.hitachi.com/hirt/security/index.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-24666
https://notcve.org/view.php?id=CVE-2020-24666
The Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a stored Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Display Name' parameter. Remediated in >= 9.1.0.1 El Analysis Report en Hitachi Vantara Pentaho versiones hasta 7.x - 8.x, contiene una vulnerabilidad de tipo Cross-site scripting almacenado, que permite a usuarios remotos autenticados ejecutar código JavaScript arbitrario. Específicamente, la vulnerabilidad radica en el parámetro "Display Name". Corregido en las versiones posteriores a 9.1.0.1 incluyéndola • http://www.hitachi.com/hirt/hitachi-sec/2020/601.html https://www.accenture.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24664
https://notcve.org/view.php?id=CVE-2020-24664
The dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'pho:title' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0 GA. El dashboard Editor en Hitachi Vantara Pentaho versiones hasta 7.x - 8.x, contiene una vulnerabilidad de tipo Cross-site scripting reflejado, que permite a usuarios remotos autenticados ejecutar código JavaScript arbitrario. Específicamente, la vulnerabilidad radica en el atributo "pho:title" del parámetro "dashboardXml". • https://support.pentaho.com/hc/en-us/articles/360050965992-hirt-sec-2020-601-Multiple-Vulnerabilities-in-Pentaho https://www.accenture.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24670
https://notcve.org/view.php?id=CVE-2020-24670
The Dashboard Editor in Hitachi Vantara Pentaho through 7.x - 8.x contains a reflected Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'type' attribute of 'dashboardXml' parameter. Remediated in >= 7.1.0.25, >= 8.2.0.6, and >= 8.3.0.0 GA. El Dashboard Editor en Hitachi Vantara Pentaho versiones hasta 7.x - 8.x, contiene una vulnerabilidad de tipo Cross-site scripting reflejado, que permite a usuarios remotos autenticados ejecutar código JavaScript arbitrario. Específicamente, la vulnerabilidad radica en el atributo "type" del parámetro "dashboardXml". • http://www.hitachi.com/hirt/hitachi-sec/2020/601.html https://www.accenture.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2020-24669
https://notcve.org/view.php?id=CVE-2020-24669
The New Analysis Report in Hitachi Vantara Pentaho through 7.x - 8.x contains a DOM-based Cross-site scripting vulnerability, which allows an authenticated remote users to execute arbitrary JavaScript code. Specifically, the vulnerability lies in the 'Analysis Report Description' field in 'About this Report' section. Remediated in >= 8.3.0.9, >= 9.0.0.1, and >= 9.1.0.0 GA. El New Analysis Report en Hitachi Vantara Pentaho versiones hasta 7.x - 8.x, contiene una vulnerabilidad de tipo Cross-site scripting basada en DOM, que permite a usuarios remotos autenticados ejecutar código JavaScript arbitrario. Específicamente, la vulnerabilidad se encuentra en el campo "Analysis Report Description" en la sección "About this Report". • http://www.hitachi.com/hirt/hitachi-sec/2020/601.html https://www.accenture.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •