Davide-Zerbetto

**Name of the Vulnerable Software and Affected Versions** Knowage versions 6.x.x through 8.1.7 **Description** Knowage is an open source analytics and business intelligence suite. The endpoint "/knowage/restful-services/dossier/importTemplateFile" allows authenticated users to upload a `template file` on the server without needing authorization. An attacker can upload a JSP file and then connect to "/knowageqbeengine/foo.jsp" to gain code execution on the server. This issue can be exploited by an attacker with low privileges to upload a JSP file to the knowageqbeengine directory and gain code execution capability on the server. **Recommendations** For Knowage versions 6.x.x through 8.1.7, update to version 8.1.8 to resolve the issue. As a temporary workaround, consider restricting access to the "/knowage/restful-services/dossier/importTemplateFile" endpoint and the knowageqbeengine directory to minimize the risk of exploitation. Avoid using the endpoint "/knowageqbeengine/foo.jsp" until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Knowage versions prior to 8.1.8 **Description** Knowage is an open source suite for business analytics that uses user-supplied data to create HQL queries without prior sanitization. An attacker can create specially crafted HQL queries to break subsequent SQL queries generated by the Hibernate engine. The endpoint "/knowage/restful-services/2.0/documents/listDocument" calls the "countBIObjects" method of the "BIObjectDAOHibImpl" object with the user-supplied `label` parameter without prior sanitization, leading to SQL injection in the backing database. Other injections have been identified in the application as well. An authenticated attacker with low privileges could leverage this issue to retrieve sensitive information from the database, such as account credentials or business information. **Recommendations** For versions prior to 8.1.8, upgrade to version 8.1.8 to address the issue. As a temporary workaround, consider restricting access to the "/knowage/restful-services/2.0/documents/listDocument" endpoint and limiting the use of the `label` parameter until the issue is resolved. Additionally, restrict access to the "countBIObjects" method of the "BIObjectDAOHibImpl" object to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Knowage versions 6.0.0 through 8.1.7 **Description** The issue allows an attacker to register and activate their account without having to click on the link included in the email, giving them access to the application as a normal user. **Recommendations** For versions 6.0.0 through 8.1.7, update to version 8.1.8 to resolve the issue.