PT-2022-24877 · Unknown · Knowage Server

Jlleitschuh

Published

2022-10-13

Updated

2022-10-17

CVE-2022-39295

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Knowage-Server versions 6.x through 7.4.21 Knowage-Server versions 8.0.0 through 8.0.8 Knowage-Server versions 8.1.0 is not affected, but versions prior to 8.1.0 are, so it is: Knowage-Server versions 6.x through 8.0.8

Description Knowage is an open source suite for modern business analytics alternative over big data systems. The software is vulnerable to cross-site scripting because the XSSRequestWrapper::stripXSS method can be bypassed.

Recommendations For Knowage-Server versions 6.x through 7.4.21, update to version 7.4.22 or later. For Knowage-Server versions 8.0.0 through 8.0.8, update to version 8.0.9 or later. As a temporary workaround, consider disabling the XSSRequestWrapper::stripXSS method until a patch is available.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-87CWE-79

Related Identifiers

CVE-2022-39295

GHSA-F2GR-6H9J-RWCW

Affected Products

Knowage Server

PT-2022-24877 · Unknown · Knowage Server

CVE-2022-39295

Weakness Enumeration

Related Identifiers

Affected Products

References · 6