CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37359 – Hitachi Vantara Pentaho Business Analytics Server – Server Side Request Forgery
https://notcve.org/view.php?id=CVE-2024-37359
19 Feb 2025 — The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. (CWE-918) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not validate the Host header of incoming HTTP/HTTPS requests. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, pos... • https://support.pentaho.com/hc/en-us/articles/34296789835917--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Server-Side-Request-Forgery-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-37359 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5705 – Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization
https://notcve.org/view.php?id=CVE-2024-5705
19 Feb 2025 — The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. (CWE-863) Hitachi Vantara Pentaho Business Analytics Server versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, have modules enabled by default that allow execution of system level processes. When access control checks are incorrectly applied, users can access data or perform actions that th... • https://support.pentaho.com/hc/en-us/articles/34296615099405--Resolved-Hitachi-Vantara-Pentaho-Business-Analytics-Server-Incorrect-Authorization-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-5705 • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5706 – Hitachi Vantara Pentaho Data Integration & Analytics - Improper Control of Resource Identifiers ('Resource Injection')
https://notcve.org/view.php?id=CVE-2024-5706
19 Feb 2025 — The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control. (CWE-99) Hitachi Vantara Pentaho Data Integration & Analytics versions before 10.2.0.0 and 9.3.0.9, including 8.3.x, do not restrict JNDI identifiers during the creation of Community Dashboards, allowing control of system-level data sources. An attacker could gain access to or modify sensitive ... • https://support.pentaho.com/hc/en-us/articles/34296195570189--Resolved-Hitachi-Vantara-Pentaho-Data-Integration-Analytics-Improper-Control-of-Resource-Identifiers-Resource-Injection-Versions-before-10-2-0-0-and-9-3-0-9-including-8-3-x-Impacted-CVE-2024-5706 • CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57964 – Insecure Loading of Dynamic Link Libraries in HVAC Energy Saving Program
https://notcve.org/view.php?id=CVE-2024-57964
18 Feb 2025 — Insecure Loading of Dynamic Link Libraries have been discovered in HVAC Energy Saving Program, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems. This issue affects HVAC Energy Saving Program:. Insecure Loading of Dynamic Link Libraries have been discovered in HVAC Energy Saving Program, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems. This issue affects HVAC Energy Saving Prog... • https://www.hitachi.com/hirt/hitachi-sec/2025/001.html • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-57963 – Insecure Loading of Dynamic Link Libraries in USB-CONVERTERCABLE DRIVER
https://notcve.org/view.php?id=CVE-2024-57963
18 Feb 2025 — Insecure Loading of Dynamic Link Libraries have been discovered in USB-CONVERTERCABLE DRIVER, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems. This issue affects USB-CONVERTERCABLE DRIVER:. Insecure Loading of Dynamic Link Libraries have been discovered in USB-CONVERTERCABLE DRIVER, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems. This issue affects USB-CONVERTERCABLE DRIVER:... • https://www.hitachi.com/hirt/hitachi-sec/2025/001.html • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-10205 – Authorization bypass vulnerability in Hitachi Infrastructure Analytics Advisor and Hitachi Ops Center Analyzer
https://notcve.org/view.php?id=CVE-2024-10205
17 Dec 2024 — Authentication Bypass vulnerability in Hitachi Ops Center Analyzer on Linux, 64 bit (Hitachi Ops Center Analyzer detail view component), Hitachi Infrastructure Analytics Advisor on Linux, 64 bit (Hitachi Data Center Analytics component ).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.3-00; Hitachi Infrastructure Analytics Advisor: from 2.1.0-00 through 4.4.0-00. Authentication Bypass vulnerability in Hitachi Ops Center Analyzer on Linux, 64 bit (Hitachi Ops Center Analyzer detail... • https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-151/index.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45068 – Authentication credentials leakage vulnerability in Hitachi Ops Center Common Services within Hitachi Ops Center OVA
https://notcve.org/view.php?id=CVE-2024-45068
03 Dec 2024 — Authentication credentials leakage vulnerability in Hitachi Ops Center Common Services within Hitachi Ops Center OVA. This issue affects Hitachi Ops Center Common Services: from 10.9.3-00 before 11.0.3-00; Hitachi Ops Center OVA: from 10.9.3-00 before 11.0.2-01. Vulnerabilidad de fuga de credenciales de autenticación en Hitachi Ops Center Common Services dentro de Hitachi Ops Center OVA. Este problema afecta a Hitachi Ops Center Common Services: desde 10.9.3-00 hasta 11.0.3-00; Hitachi Ops Center OVA: desde... • https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-149/index.html • CWE-1392: Use of Default Credentials •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9929
https://notcve.org/view.php?id=CVE-2024-9929
26 Nov 2024 — A vulnerability exists in NSD570 that allows any authenticated user to access all device logs disclosing login information with timestamps. A vulnerability exists in NSD570 that allows any authenticated user to access all device logs disclosing login information with timestamps. • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000173&LanguageCode=en&DocumentPartId=&Action=launch • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9928
https://notcve.org/view.php?id=CVE-2024-9928
26 Nov 2024 — A vulnerability exists in NSD570 login panel that does not restrict excessive authentication attempts. If exploited, this could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the equipment login. Note that the system supports only one concurrent session and implements a delay of more than a second between failed login attempts making it difficult to automate the attacks. A vulnerability exists in NSD570 login panel that does not restrict ex... • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000173&LanguageCode=en&DocumentPartId=&Action=launch • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41156
https://notcve.org/view.php?id=CVE-2024-41156
29 Oct 2024 — Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. Profiles can only be exported by authenticated users with write access. Profile files from TRO600 series radios are extracted in plain-text and encrypted file formats. Profile files provide potential attackers valuable configuration information about the Tropos network. • https://publisher.hitachienergy.com/preview?DocumentID=8DBD000147&LanguageCode=en&DocumentPartId=&Action=launch • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •