CVE-2021-30058

Name of the Vulnerable Software and Affected Versions Knowage Suite versions prior to 7.4

Description The issue allows an attacker to inject arbitrary external scripts via the SBI HOST parameter in the "/knowagecockpitengine/api/1.0/pages/execute" API endpoint, leading to cross-site scripting (XSS).

Recommendations For versions prior to 7.4, as a temporary workaround, consider restricting access to the "/knowagecockpitengine/api/1.0/pages/execute" API endpoint and avoid using the SBI HOST parameter until a patch is available. Update to version 7.4 or later to resolve the issue.