cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-28984,https://securityvulnerability.io/vulnerability/CVE-2024-28984,Pentaho Server Vulnerable to URL Injection Attacks,"Hitachi Vantara Pentaho Business Analytics Server prior to versions 10.1.0.0 and 9.3.0.7, including 8.3.x allow a malicious URL to inject content into the Analyzer plugin interface.",Hitachi Vantara,Pentaho Business Analytics Server,6.1,MEDIUM,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-06-26T23:15:00.000Z,0 CVE-2024-28982,https://securityvulnerability.io/vulnerability/CVE-2024-28982,Pentaho Server Vulnerable to XML External Entity Reference Attack,"The vulnerability affects the Hitachi Vantara Pentaho Business Analytics Server, where an improper restriction of the ACL service endpoint enables potential exploitation through XML External Entity (XXE) reference. This flaw arises in versions prior to 10.1.0.0, 9.3.0.7, and 8.3.x, exposing users and systems to the risk of unauthorized access or data leakage. Proper security measures and updates should be implemented to mitigate this vulnerability.",Hitachi Vantara,Pentaho Business Analytics Server,8.2,HIGH,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-06-26T23:15:00.000Z,0 CVE-2023-2358,https://securityvulnerability.io/vulnerability/CVE-2023-2358,"Hitachi Vantara Pentaho Business Analytics Server – Password Stored in a Recoverable Format "," Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.5.0.0 and 9.3.0.4, including 8.3.x.x, saves passwords of the Hadoop Copy Files step in plaintext.  ",Hitachi,Pentaho Business Analytics Server,4.3,MEDIUM,0.0006399999838322401,false,,false,false,false,,,false,false,,2023-09-27T15:18:00.000Z,0 CVE-2023-1158,https://securityvulnerability.io/vulnerability/CVE-2023-1158,"Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization "," Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.1 and 9.3.0.3, including 8.3.x expose dashboard prompts to users who are not part of the authorization list.  ",Hitachi,Pentaho Business Analytics Server,4.3,MEDIUM,0.0004900000058114529,false,,false,false,false,,,false,false,,2023-05-24T22:15:00.000Z,0 CVE-2022-4815,https://securityvulnerability.io/vulnerability/CVE-2022-4815,"Hitachi Vantara Pentaho Business Analytics Server - Deserialization of Untrusted Data ","Hitachi Vantara Pentaho Business Analytics Server versions earlier than 9.4.0.1 and 9.3.0.3, as well as all versions in the 8.3.x series, are susceptible to a vulnerability that allows deserialization of untrusted JSON data. This flaw arises from the absence of constraints on the parser, permitting it to process potentially malicious data. The lack of validation and control over the classes and methods involved can lead to security risks, enabling attackers to exploit this weakness to execute unauthorized actions on affected systems.",Hitachi,Pentaho Business Analytics Server,8,HIGH,0.0010300000431016088,false,,false,false,false,,,false,false,,2023-05-24T21:30:37.243Z,0 CVE-2022-43770,https://securityvulnerability.io/vulnerability/CVE-2022-43770,Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization," Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.4 and 8.3.0.27 does not correctly perform an authorization check in the dashboard editor plugin API.    ",Hitachi,Pentaho Business Analytics Server,5.4,MEDIUM,0.0010900000343099236,false,,false,false,false,,,false,false,,2023-04-11T15:48:16.650Z,0 CVE-2022-3695,https://securityvulnerability.io/vulnerability/CVE-2022-3695,"Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation "," Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.3.0.0, 9.2.0.4 and 8.3.0.27 allow a malicious URL to inject content into a dashboard when the CDE plugin is present.    ",Hitachi,Pentaho Business Analytics Server,6.5,MEDIUM,0.0005600000149570405,false,,false,false,false,,,false,false,,2023-04-11T15:45:03.366Z,0 CVE-2022-4771,https://securityvulnerability.io/vulnerability/CVE-2022-4771,"Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') "," Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x allow a malicious URL to inject content into the Pentaho User Console through session variables.  ",Hitachi,Pentaho Business Analytics Server,5.4,MEDIUM,0.0007200000109151006,false,,false,false,false,,,false,false,,2023-04-03T18:58:44.148Z,0 CVE-2022-4770,https://securityvulnerability.io/vulnerability/CVE-2022-4770,"Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information "," Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report (*.prpt).  ",Hitachi,Pentaho Business Analytics Server,4.3,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2023-04-03T18:56:17.800Z,0 CVE-2022-4769,https://securityvulnerability.io/vulnerability/CVE-2022-4769,"Hitachi Vantara Pentaho Business Analytics Server - Generation of Error Message Containing Sensitive Information "," Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the target path on host when a file is uploaded with an invalid character in its name.  ",Hitachi,Pentaho Business Analytics Server,4.3,MEDIUM,0.000539999979082495,false,,false,false,false,,,false,false,,2023-04-03T18:53:51.840Z,0 CVE-2022-43772,https://securityvulnerability.io/vulnerability/CVE-2022-43772,"Hitachi Vantara Pentaho Business Analytics Server - Insertion of Sensitive Information into Log File "," Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x with the Big Data Plugin expose the username and password of clusters in clear text into system logs.  ",Hitachi,Pentaho Business Analytics Server,3.8,LOW,0.0006500000017695129,false,,false,false,false,,,false,false,,2023-04-03T18:50:58.827Z,0 CVE-2022-3960,https://securityvulnerability.io/vulnerability/CVE-2022-3960,"Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') "," Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x cannot allow a system administrator to disable scripting capabilities of the Community Dashboard Editor (CDE) plugin.  ",Hitachi,Pentaho Business Analytics Server,6.3,MEDIUM,0.0007200000109151006,false,,false,false,false,,,false,false,,2023-04-03T18:48:00.992Z,0 CVE-2022-43941,https://securityvulnerability.io/vulnerability/CVE-2022-43941,"Hitachi Vantara Pentaho Business Analytics Server - Improper Restriction of XML External Entity Reference ","The Hitachi Vantara Pentaho Business Analytics Server suffers from a vulnerability that fails to adequately safeguard the Post Analysis service endpoint of its data access plugin. This flaw allows attackers to exploit XML External Entity (XXE) references, potentially leading to exposure of sensitive data or system compromise. Users are urged to upgrade to versions 9.4.0.1, 9.3.0.2 or later to mitigate this security risk.",Hitachi,Pentaho Business Analytics Server,7.1,HIGH,0.0006500000017695129,false,,false,false,false,,,false,false,,2023-04-03T18:44:41.398Z,0 CVE-2022-43771,https://securityvulnerability.io/vulnerability/CVE-2022-43771,"Hitachi Vantara Pentaho Business Analytics Server - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') "," Hitachi Vantara Pentaho Business Analytics Server versions before 9.4.0.0 and 9.3.0.1, including 8.3.x, using the Pentaho Data Access plugin exposes a service endpoint for CSV import which allows a user supplied path to access resources that are out of bounds.   ",Hitachi,Pentaho Business Analytics Server,6.5,MEDIUM,0.0006500000017695129,false,,false,false,false,,,false,false,,2023-04-03T18:40:01.396Z,0 CVE-2022-43940,https://securityvulnerability.io/vulnerability/CVE-2022-43940,Hitachi Vantara Pentaho Business Analytics Server - Incorrect Authorization,"The Hitachi Vantara Pentaho Business Analytics Server exhibits a vulnerability where authorization checks are not adequately enforced in the data source management service. This imperfection may allow unauthorized users to access sensitive data or manage resources they should not, posing potential risks to data integrity and confidentiality. Users are advised to update to the versions 9.4.0.1 or 9.3.0.2 to mitigate these risks and secure their analytics environments.",Hitachi,Pentaho Business Analytics Server,8.8,HIGH,0.0010400000028312206,false,,false,false,false,,,false,false,,2023-04-03T18:25:33.397Z,0 CVE-2022-43939,https://securityvulnerability.io/vulnerability/CVE-2022-43939,"Hitachi Vantara Pentaho Business Analytics Server - Use of Non-Canonical URL Paths for Authorization Decisions ","The Hitachi Vantara Pentaho Business Analytics Server is affected by a vulnerability that allows an attacker to bypass security restrictions through non-canonical URLs. This flaw impacts versions prior to 9.4.0.1, 9.3.0.2, and includes the 8.3.x series, potentially allowing unauthorized access to sensitive functionalities within the analytics platform. Corrective measures are necessary to prevent exploitation and secure the server against unauthorized access.",Hitachi,Pentaho Business Analytics Server,8.6,HIGH,0.0031500000040978193,false,,false,false,false,,,false,false,,2023-04-03T18:10:32.141Z,0 CVE-2022-43938,https://securityvulnerability.io/vulnerability/CVE-2022-43938,"Hitachi Vantara Pentaho Business Analytics Server - Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') ","Hitachi Vantara's Pentaho Business Analytics Server prior to versions 9.4.0.1 and 9.3.0.2, including 8.3.x, exposes a critical weakness where system administrators are unable to disable the scripting capabilities of Pentaho Reports (*.prpt) through the JVM script manager. This vulnerability can lead to static code injection risks, as unauthorized scripts may be executed, potentially compromising the integrity and security of data handled by the analytics server.",Hitachi,Pentaho Business Analytics Server,8.8,HIGH,0.0010999999940395355,false,,false,false,false,,,false,false,,2023-04-03T18:06:54.133Z,0 CVE-2022-43773,https://securityvulnerability.io/vulnerability/CVE-2022-43773,"Hitachi Vantara Pentaho Business Analytics Server - Incorrect Permission Assignment for Critical Resource ","Hitachi Vantara Pentaho Business Analytics Server is configured with an improperly secured sample HSQLDB data source that has stored procedures enabled. This may allow unauthorized access or manipulations, leading to potential security risks, as users with insufficient privileges could exploit this configuration flaw if the server is exposed in vulnerable environments.",Hitachi,Pentaho Business Analytics Server,8.8,HIGH,0.0010400000028312206,false,,false,false,false,,,false,false,,2023-04-03T17:59:17.255Z,0 CVE-2022-43769,https://securityvulnerability.io/vulnerability/CVE-2022-43769,"Hitachi Vantara Pentaho Business Analytics Server - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) ","The affected versions of Hitachi Vantara Pentaho Business Analytics Server allow certain web services to accept and set property values that contain Spring templates. These templates, if not properly sanitized, may be interpreted downstream, leading to possible content injection and exploitation scenarios. Attackers could leverage this vulnerability to potentially execute arbitrary code or gain unauthorized access to system resources.",Hitachi,Pentaho Business Analytics Server,8.8,HIGH,0.3384400010108948,false,,false,false,false,,,false,false,,2023-04-03T17:47:45.737Z,0 CVE-2021-45448,https://securityvulnerability.io/vulnerability/CVE-2021-45448,Pentaho Business Analytics Server - Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user supplied path to access resources that are out of bounds.,"Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 using the Pentaho Analyzer plugin exposes a service endpoint for templates which allows a user-supplied path to access resources that are out of bounds.  The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.  By using special elements such as "".."" and ""/"" separators, attackers can escape outside of the restricted location to access files or directories that are elsewhere on the system. ",Hitachi,Pentaho Business Analytics Server,7.1,HIGH,0.0006500000017695129,false,,false,false,false,,,false,false,,2022-11-02T15:12:25.164Z,0 CVE-2021-45447,https://securityvulnerability.io/vulnerability/CVE-2021-45447," Pentaho Business Analytics Server - With the Data Lineage feature enabled, the system transmits database passwords in clear text"," Hitachi Vantara Pentaho Business Analytics Server versions before 9.3.0.0, 9.2.0.2 and 8.3.0.25 with the Data Lineage feature enabled transmits database passwords in clear text.   The transmission of sensitive data in clear text allows unauthorized actors with access to the network to sniff and obtain sensitive information that can be later used to gain unauthorized access. ",Hitachi,Pentaho Business Analytics Server,7.7,HIGH,0.001500000013038516,false,,false,false,false,,,false,false,,2022-11-02T14:56:01.585Z,0 CVE-2021-45446,https://securityvulnerability.io/vulnerability/CVE-2021-45446," Pentaho Business Analytics Server - Exposure of Information Through Directory Listing","A vulnerability in Hitachi Vantara Pentaho Business Analytics Server versions before 9.2.0.2 and 8.3.0.25 does not cascade the hidden property to the children of the Home folder.  This directory listing provides an attacker with the complete index of all the resources located inside the directory. ",Hitachi,Pentaho Business Analytics Server,5,MEDIUM,0.001500000013038516,false,,false,false,false,,,false,false,,2022-11-02T14:26:02.105Z,0