Andrej Å Imko

Name of the Vulnerable Software and Affected Versions: Hitachi Vantara Pentaho versions 7.x through 8.x before 7.1.0.25 Hitachi Vantara Pentaho versions 8.x before 8.2.0.6 Hitachi Vantara Pentaho versions 8.3.0.0 before GA Description: The Dashboard Editor in Hitachi Vantara Pentaho contains an XML Entity Expansion injection issue, allowing authenticated remote users to trigger a denial of service condition. The vulnerability is specifically related to the `dashboardXml` parameter. Recommendations: For Hitachi Vantara Pentaho versions 7.x, update to version 7.1.0.25 or later. For Hitachi Vantara Pentaho versions 8.x before 8.2.0.6, update to version 8.2.0.6 or later. For Hitachi Vantara Pentaho versions 8.3.0.0 before GA, update to the GA version or later. As a temporary workaround, consider restricting access to the `dashboardXml` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Hitachi Vantara Pentaho versions 7.x through 8.x Description: The Dashboard Editor in Hitachi Vantara Pentaho contains a reflected Cross-site scripting issue, allowing authenticated remote users to execute arbitrary JavaScript code. The vulnerability is specifically located in the `type` attribute of the `dashboardXml` parameter. Recommendations: For versions prior to 7.1.0.25, update to version 7.1.0.25 or later. For versions prior to 8.2.0.6, update to version 8.2.0.6 or later. For versions prior to 8.3.0.0 GA, update to version 8.3.0.0 GA or later. As a temporary workaround, consider restricting access to the Dashboard Editor until a patch is applied.